General
-
Target
setup.exe
-
Size
470KB
-
Sample
230415-apgmxadh9t
-
MD5
ddab7e661ea7e21ffeb5734215f57ae4
-
SHA1
0fe903952c84f4ac149d499e3520b8c36f30059a
-
SHA256
9d32dcd66ddeff3c376b08f6c76d28a3b577eebc2f0d8b9ba1781109ec3d6c62
-
SHA512
7cb9f4983c5b46853a13f4f30669aa19703dd9fd724d7274f5775201e865b0f9027a6fe9c1c3726948d35b2be093a2e878b247eda2e493961ce5b62f03db5c74
-
SSDEEP
6144:ThNurJhw3quvV0W17a8TLD9fg3atx6yAH9K0y231HzJbVnTyGhFCGclxi:ThSJy1vV087a2Dhg3atIE0y23pGGh
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
vidar
3.4
e749025c61b2caca10aa829a9e1a65a1
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
-
profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
-
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Extracted
laplas
http://185.106.92.74
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Targets
-
-
Target
setup.exe
-
Size
470KB
-
MD5
ddab7e661ea7e21ffeb5734215f57ae4
-
SHA1
0fe903952c84f4ac149d499e3520b8c36f30059a
-
SHA256
9d32dcd66ddeff3c376b08f6c76d28a3b577eebc2f0d8b9ba1781109ec3d6c62
-
SHA512
7cb9f4983c5b46853a13f4f30669aa19703dd9fd724d7274f5775201e865b0f9027a6fe9c1c3726948d35b2be093a2e878b247eda2e493961ce5b62f03db5c74
-
SSDEEP
6144:ThNurJhw3quvV0W17a8TLD9fg3atx6yAH9K0y231HzJbVnTyGhFCGclxi:ThSJy1vV087a2Dhg3atIE0y23pGGh
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-