General

  • Target

    9ff7923de3f164579964eab7e8f6e23a8ed18c488a862a504a23ef14281198de.zip

  • Size

    1.3MB

  • Sample

    210415-yp6kc7nfva

  • MD5

    9bd9a0db11cf1dcd9df94fb46eee6cc9

  • SHA1

    a0a04bd658fe4cf7bce338c97f589d5ce14552da

  • SHA256

    4feb2d9a3efc72a6516f42131cbea4410ab599cfc82c2d381c2ff73f41b8fc05

  • SHA512

    3272ed146153260d27d8199a5026709cc229250df9711c224aaac0aa11969cf6733b24f85cfa4877697c0a5fc8aaa969259e8fd53d4d5621acc18995647306bd

Malware Config

Targets

    • Target

      9ff7923de3f164579964eab7e8f6e23a8ed18c488a862a504a23ef14281198de

    • Size

      1.5MB

    • MD5

      a812b477526d412e6d89d9733b935406

    • SHA1

      dada6f2fde5f1679665625dfba529f0c13c1d1d5

    • SHA256

      9ff7923de3f164579964eab7e8f6e23a8ed18c488a862a504a23ef14281198de

    • SHA512

      2cd838e2d5a2c7ca6f4bfe6f2035084276677f526cab0194dd3b45007d8d0453528f8ded130dbd3484b751f76221f54c2c8866c137ddd44ae2096e3abefe0cff

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

4
T1005

Tasks