Resubmissions

26-04-2021 19:08

210426-92eybkw776 10

21-04-2021 14:31

210421-3lfg6m2s5s 10

General

  • Target

    830bf0e8eec431d503aaaea6610b07b8.exe

  • Size

    562KB

  • Sample

    210421-3lfg6m2s5s

  • MD5

    830bf0e8eec431d503aaaea6610b07b8

  • SHA1

    4aeb762c22d5021f84f58a6dd8c15a45b356631e

  • SHA256

    ed6ad746aa432e0e2a0981b996869bd86349697f3850930d195bac3c360e3df8

  • SHA512

    865d9451d0c4810f6f9b267452aa2dea71b02be416fa4ec099918427f28c3641d25941330358a605cc4f406ceb4e784ff61f8e3b6c85f71252aed37ce8a25b3d

Malware Config

Targets

    • Target

      830bf0e8eec431d503aaaea6610b07b8.exe

    • Size

      562KB

    • MD5

      830bf0e8eec431d503aaaea6610b07b8

    • SHA1

      4aeb762c22d5021f84f58a6dd8c15a45b356631e

    • SHA256

      ed6ad746aa432e0e2a0981b996869bd86349697f3850930d195bac3c360e3df8

    • SHA512

      865d9451d0c4810f6f9b267452aa2dea71b02be416fa4ec099918427f28c3641d25941330358a605cc4f406ceb4e784ff61f8e3b6c85f71252aed37ce8a25b3d

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

4
T1005

Tasks