General
-
Target
d4359d5d0bbe9828a1340fb1d8537a74
-
Size
6.7MB
-
Sample
240318-w3sg8afb39
-
MD5
d4359d5d0bbe9828a1340fb1d8537a74
-
SHA1
5c8805bd3c08d9866748ac033d9e0497bb84761c
-
SHA256
57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5
-
SHA512
3ea8565784f17f44f1236d4176146e335e409f84514fff3c8d3a0099d8e7fe02dde340319e910b04296010df5e050835aa68bb62b40c1d18cd2c985ab23c2751
-
SSDEEP
98304:pAI+SlhLuZHUt0eb4gECc3TKnUESV/eqRrqmfgSmhML0CzSbquFwa1//NbAxg6gJ:itBUieh7c56qRTL0oLKw+NcA4BzicQ
Static task
static1
Behavioral task
behavioral1
Sample
d4359d5d0bbe9828a1340fb1d8537a74.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
d4359d5d0bbe9828a1340fb1d8537a74.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
vidar
40.1
916
https://eduarroma.tumblr.com/
-
profile_id
916
Extracted
privateloader
http://37.0.10.214/proxies.txt
http://37.0.10.244/server.txt
http://wfsdragon.ru/api/setStats.php
37.0.10.237
Targets
-
-
Target
d4359d5d0bbe9828a1340fb1d8537a74
-
Size
6.7MB
-
MD5
d4359d5d0bbe9828a1340fb1d8537a74
-
SHA1
5c8805bd3c08d9866748ac033d9e0497bb84761c
-
SHA256
57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5
-
SHA512
3ea8565784f17f44f1236d4176146e335e409f84514fff3c8d3a0099d8e7fe02dde340319e910b04296010df5e050835aa68bb62b40c1d18cd2c985ab23c2751
-
SSDEEP
98304:pAI+SlhLuZHUt0eb4gECc3TKnUESV/eqRrqmfgSmhML0CzSbquFwa1//NbAxg6gJ:itBUieh7c56qRTL0oLKw+NcA4BzicQ
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Vidar Stealer
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1