bluefox

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_e095c09c0839a85ecd84346a853c9c7333c51d1d0080ea41b5cee1f6f897c243
Size

36.3MB
Sample

241229-q4dskasqfr
MD5

2bc87d63f08f3083c32152b022d34a06
SHA1

bbb29747804fa1cb16ce950b9c93a8d77801d460
SHA256

e095c09c0839a85ecd84346a853c9c7333c51d1d0080ea41b5cee1f6f897c243
SHA512

e5022940dfc08572f84f4ca1c2d763c3bb5c1ce9eec701d781081d0e04a3fd4f665334b17e1dc8220cb7fa3fa21638a895c60a5168099e3bca6b866bd1dc2ed2
SSDEEP

786432:JmWO+snSUhLJXreRer6yhhSwTztExpaucJ+Ydu4uBdUNp:BiSUhLJXreRdyhfvaCeYdoc

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

54.9

Botnet

1695

https://t.me/larsenup

https://ioc.exchange/@zebra54

http://5.161.120.43:80

Attributes

profile_id
1695

Targets

- Target
  
  malware/1/Setup.exe
- Size
  
  355.0MB
- MD5
  
  99ff01f43531f0dfa0431e873c5d6088
- SHA1
  
  ac95931c65b0486d3709742a42c4a1acbc9c0e4e
- SHA256
  
  59970c3e43a481db1fc347eacb880fdc263d9cb162b76cbc19549c9a099dca1a
- SHA512
  
  42acf88f9ac66a416f31f1b6d6e49c344e8b0287f71b97d8bcd9389b5e7225beb6741124fbb4a473e804777ac56b9e2ddd8af330310a52fe23ab08460d028ca5
- SSDEEP
  
  196608:SDBCIQ9toymMFPYFdEHzdaB+6nLupPQx6Ac8b:MMXwTMmWi+6WQx6p
Score

10^/10

bluefox discovery stealer vmprotect
- BlueFox
  BlueFox is an infostealer written in C# and first seen in December 2021.
  stealer bluefox
- BlueFox Stealer payload
- Bluefox family
  bluefox
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral1 behavioral2
- Target
  
  malware/2/Setup.exe
- Size
  
  95.8MB
- MD5
  
  823112d99e79a75360b4722c65ee0b8c
- SHA1
  
  491e93560f80ebcac0de3c60acd15e9274f5cfc0
- SHA256
  
  47c98538e5720cec349cb2a4b748e57356a204adc356dc84a939b26b72db041a
- SHA512
  
  3ff536e7e805b63b98a22f99d555255770c81134b08abaec3e97bd8844b45ca0b1722eb05a6ad41359b20a009f63ac2579eb74fc8d1d217554c2752951077229
- SSDEEP
  
  6144:YkFdY2LAObMeeeeeeedmgMrXhf3P//WZBj/LkZ+afxntlD/ogPtjQkjh6KQyCWC9:YkFRZeRf3P/eZJkZVfxt53hQkjiWC6K
Score

10^/10

vidar 1695 discovery stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
behavioral3 behavioral4
- Target
  
  malware/3/free_sea_of_thieves_hacks_(esp_.exe
- Size
  
  2.2MB
- MD5
  
  bbcbdf10e868888b4e282d7c5ae8284c
- SHA1
  
  6bcf6542cda09ea714fa9e5c3534f944c5850be7
- SHA256
  
  62884dd5b5d6a129bc9c7f58d9fd302840aeb3e57606739c5d00ccea4dadc4e5
- SHA512
  
  9b2c88302551202dd23513105b26d7d96c32759a250fe98533ba6c596fb862881b497616c86900cf81ae4fb5ebbff17ea51a65130deeca259ba9082b33862891
- SSDEEP
  
  49152:XBuZrEUtZgrzYCbf7iJI7c3955DdN7POGjb:xkLtZS8CbDiAc3955ljb
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  malware/4/Setup.exe
- Size
  
  95.7MB
- MD5
  
  b13417c3beed03acbdf87c4f7f453061
- SHA1
  
  812c395cee4a2c879da4298e8235524ecad8da7f
- SHA256
  
  aa5c896dc409b0c7522c6bc89e92abf8d0164c9c3812b66a694b8d35debdaf59
- SHA512
  
  585f796eeff3323e8ceab79dc0e41e66e9bd7f17e5b02e4dd4731d509e16858e128bb83c63a80901deff077606afe3518365d276efe9ad9e38d69be1716efe08
- SSDEEP
  
  6144:+kFdY2LAObMeeeeeeedNgMrXQf3J//WZBj/LkZ+afxntlD/ogPtjQkjh6KQyCWCQ:+kFRZFAf3J/eZJkZVfxt53hQkjiWC9K
Score

10^/10

vidar 1695 discovery stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
behavioral7 behavioral8
- Target
  
  malware/5/Data/Plug-ins/root/data/BIBUtils.dll
- Size
  
  184KB
- MD5
  
  71a8248b03bd87065d79bc6b7725980b
- SHA1
  
  bb225a3c718615a9c04a927084dd96ef97afa76a
- SHA256
  
  0adc38d6aa5e0c92022df8be0456f719a1e153ca48d4903f173fd3fb2a140a85
- SHA512
  
  c4bb9cefba3a78d792313e5011138dd2f084ad79df9baca0e3ca44fbddb77e89273a6208007ccfde7ad4e1c09751f59e71c29835856873a970a03b7a1ff11504
- SSDEEP
  
  3072:EMj8T0Owuzsi7NrOFZ7qAYTZibvGwVAuIFw//T9BH+u20uVHOAv07E:JwT3RzIT9BGPuAvj
Score

1^/10
behavioral10 behavioral9
- Target
  
  malware/5/Data/Plug-ins/root/data/CITThreading.dll
- Size
  
  161KB
- MD5
  
  08f8df5b67af0c9e43bae814bdb21eae
- SHA1
  
  b6b0608f96f912ed3994147a631b82bd346f13d4
- SHA256
  
  8327ba3d80d78ce232be9705484b93fb80142e9bfa0f27f564f9fb87a3f36fed
- SHA512
  
  0bc2065f530eacd70413d2456ab610bbededabebc08a3985e819558adab2f4bd86fa630a31522511adda4bbbf53f3ba8dc2a7755107f58be2dd961d44dc619a2
- SSDEEP
  
  3072:kJgP/Uzvw5CkjjtOrADecdC8KLiaQsKPfrz0++zQHCB/yBTu:hkzvLojtG+KLiJl3rIYCBqBS
Score

1^/10
behavioral11 behavioral12
- Target
  
  malware/5/Data/Plug-ins/root/data/CRClient.dll
- Size
  
  401KB
- MD5
  
  2985fc19302b7c20647dcf1c1b81c5bc
- SHA1
  
  a13c005e1448b55e046e1360d020c71d17376a46
- SHA256
  
  534d464db8b3c97c1ea0306406f123a4dd9b39a72e38dfd03021d8cc627225aa
- SHA512
  
  3190f93418d32baaf0bc7d15d06aa6fdf9442bb0f2b29188ca44cea84c3d6463f6dc41e54a994aa35b8a04e62d4a9ab2853e4ee0b440929e9f3370b50778c3c9
- SSDEEP
  
  12288:h7WftuCSC6qpzgCXTqXFEOk73KnaAdL13:8RGCXOXFEOk73Kn1dLx
Score

1^/10
behavioral13 behavioral14
- Target
  
  malware/5/Data/Plug-ins/root/data/ExtendScript.dll
- Size
  
  1.0MB
- MD5
  
  73c46efc00f45f9ab01321656a011d8f
- SHA1
  
  04e2ef3ddaeafcb8cdc89b527efd84abae36ab74
- SHA256
  
  849c268a4e6730e1108bb1261d4de8b8da55a7ad7b71388c8b989f74a091ab00
- SHA512
  
  0e8258b03aceca9a8a9c934b9db1f9f15585b314f30456047a5e01e53643c54921527f4fb92e615ed473a19ac9a7caf103b5fbeb9c77adf3fcb137114072f549
- SSDEEP
  
  6144:MGNZy1Ct8FWCmnGLhnhBzHEggfxUwRjSTw7X1I3Ye9nsOKJSrGIDQkOCYYSHLPTv:MIy1C6WBnGpzkggfxlwY3TAUb
Score

1^/10
behavioral15 behavioral16
- Target
  
  malware/5/Data/Plug-ins/root/data/JP2KLib.dll
- Size
  
  651KB
- MD5
  
  906a15589338b6008e55065531fd28c8
- SHA1
  
  ea07a69a23e31350099b0f652bed47dd1487b0b3
- SHA256
  
  cc2cfc09250cca4f8f714fc2189a1e8b2a3dfe569bb9feec2e67927a25715f19
- SHA512
  
  d353553a731f96e185bef722faca8acd0c163f286be1fb2775cbb6ad4a885e8d452c6ef3b9bd3b3a06ed492ffdb71c6348dcd19ed765f14fcdadacbe38964b95
- SSDEEP
  
  12288:HM8XoTiIVMMYkylpfe1fpF0dbtz8nd6nSGBDdJCAgH20:sbVMMYkylZebF0Zz8dAVBCAo
Score

1^/10
behavioral17 behavioral18
- Target
  
  malware/5/Data/Plug-ins/root/data/Microsoft.Expression.Interactions.dll
- Size
  
  89KB
- MD5
  
  6a3b9e46c41e42e7b8e1479468d892af
- SHA1
  
  e31c05ae685e51d07808b1dd24ceced9d299ed81
- SHA256
  
  f3b14defbd05493b8573016b08b86e5b5d53b486b0457fd75f67bf8bff04be38
- SHA512
  
  d6416204875ce732edac51e36f267c9cca52f60ba79cd981b388988e435bd1cce87f972a9e90be4fd9a7fd25cb316293f938f45fb645f25a4f62b980a37236b7
- SSDEEP
  
  1536:Srf5GttgxHXEuRmG5rtkGY4CEmWAxXSSYhhS98ca2Wvsd65FJDlGWwkEy:a5GttWHXEUx5r65LxXshk8JDIWP
Score

1^/10
behavioral19 behavioral20
- Target
  
  malware/5/Data/Plug-ins/root/data/Newtonsoft.Json.dll
- Size
  
  647KB
- MD5
  
  5afda7c7d4f7085e744c2e7599279db3
- SHA1
  
  3a833eb7c6be203f16799d7b7ccd8b8c9d439261
- SHA256
  
  f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4
- SHA512
  
  7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944
- SSDEEP
  
  6144:3o4V9ynqKoxhi0gAsfLBhJJzhGIVrdhoHuLFGAJmKApt5psaLGBFahKGRd67XLEm:LyncxQRhJJzhoqgH5sB4dxHG
Score

1^/10
behavioral21 behavioral22
- Target
  
  malware/5/Data/Plug-ins/root/data/SQLite.Interop.dll
- Size
  
  1.1MB
- MD5
  
  5e99e9d7b9629bc21074718c1f974215
- SHA1
  
  4466e57c7b7ebf8450022888376bddce8f694b54
- SHA256
  
  8de21caa05e042e9b88bccd4cbcaf4805c457616f5989a4a75aa3f8e10a6b2fe
- SHA512
  
  7e93bea5ff1029c854f5928b6cd0d6a94a2688f17838217ed02b12cef20839b915b4c28ee3ec10a2b42a3b4913b9eea4ab3c1e278d36499c9936803aeedf0aa1
- SSDEEP
  
  24576:k3/SHu5WhsKfScMiASYfqpaVfBLisPSVFvFevynqEqLT9oyO:kPSHuEOj/fqcBjPSPFev8gmy
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  malware/5/Data/Plug-ins/root/data/SharpRaven.dll
- Size
  
  96KB
- MD5
  
  1bd677bea16cf6490c6cf35c0d1c0174
- SHA1
  
  dd7b027aa51433c824e99cac7b7a8c5c27a28a3f
- SHA256
  
  d738249c61afd4dba39302a79422d3a34ec9b3807c9f5f973d1a385a0ff44955
- SHA512
  
  ee4b0dc1c9d862eb597227c8860739ac87269656e952d4609c7befce4ea08345e3e5693b1d95f1c6c70ec79f681d31321798ef0eac52954fbeaf44764a265a82
- SSDEEP
  
  1536:zKKw4TfSgLOwanNdGzV9P23rl0LnITwa8yNpgwoIhAm7:zKKBrbanrp0k38yNumr
Score

1^/10
behavioral25 behavioral26
- Target
  
  malware/5/Data/Plug-ins/root/data/System.Data.SQLite.dll
- Size
  
  337KB
- MD5
  
  03311a06b7516b5a998f5966bd45088a
- SHA1
  
  dd560c6b59d8abfa88dcc6eb438e1e58e3d90bbc
- SHA256
  
  05d68a3cd4d52c268880b0c6bc32acea60fb674e9b72b1cad5c0d08600c3d021
- SHA512
  
  b4167f57f463396b0b24c44e77274ff077b673dec5179e65ba3f432ab180a511dd3a58e659eaedb48356d23bacf326b7e69ddbcadc4c371880f93a975a2613c7
- SSDEEP
  
  6144:i4xtlRVuJ4v4pFNFaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbZ:Xljdv4pFNFaFeFOFwcGF6cmFWc0FWc8O
Score

1^/10
behavioral27 behavioral28
- Target
  
  malware/5/Data/Plug-ins/root/data/System.Windows.Interactivity.dll
- Size
  
  39KB
- MD5
  
  3ab57a33a6e3a1476695d5a6e856c06a
- SHA1
  
  dabb4ecffd0c422a8eebff5d4ec8116a6e90d7e7
- SHA256
  
  4aace8c8a330ae8429cd8cc1b6804076d3a9ffd633470f91fd36bdd25bb57876
- SHA512
  
  58dbfcf9199d72d370e2d98b8ef2713d74207a597c9494b0ecf5e4c7bf7cf60c5e85f4a92b2a1896dff63d9d5107f0d81d7dddbc7203e9e559ab7219eca0df92
- SSDEEP
  
  768:6MazwAgR8/XJ665bKZdxuB8DCuL5enM7JxKjuMlZCZN+R0E7E:63wBccZdxuB8mQen6JxKjrlMZgR0Eo
Score

1^/10
behavioral29 behavioral30
- Target
  
  malware/5/Data/Plug-ins/root/data/api.work
- Size
  
  21KB
- MD5
  
  28a14d5d6c3912ea3cd20b7e94757441
- SHA1
  
  a21fb4bdfb0b063a83e818c18bba396b26fc2655
- SHA256
  
  4dcbaf51457660f0f4edbb916ba20fbb5003ba5bba923d60e41494ddca9d091a
- SHA512
  
  1300699cb4e8510c946abdac9dfcb37c262c1485e7886cbb27d985c7b6b9b9d2ab02dee10f9430b4df21839282cc7efa9f0fa13fe7a9d4e2c67676cb7bd37289
- SSDEEP
  
  384:mcq9EarSceeQMORRKx6kDr4VCPH3ZaSKHxka2Eci2mL:ONrbQMOHKxJxa2ch2mL
Score

3^/10

execution
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

BlueFox Stealer payload

Bluefox family

VMProtect packed file

Vidar

Vidar family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Checks installed software on the system

Suspicious use of SetThreadContext

Vidar

Vidar family

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32