General

  • Target

    d93befb933caaf737d83b0aee9577449

  • Size

    3MB

  • Sample

    210707-6wrcfdbyye

  • MD5

    d93befb933caaf737d83b0aee9577449

  • SHA1

    2524f6afd33f0b787db7251d78c4ef5b7961913a

  • SHA256

    9dc2aee4b65b09658a4412e9cd10aaf655faeb9b5500241455c0183150581e1e

  • SHA512

    8c437345af6ce2f2d37068c2fd23dc52659223dcdbe1c982ce1a4acc991c1f969c21a8d176b3327bc47c4b542ad9333dcc7f6d660c48b6bd4ef3e994e3277e12

Malware Config

Extracted

Family

vidar

Version

39.4

Botnet

950

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    950

Targets

    • Target

      d93befb933caaf737d83b0aee9577449

    • Size

      3MB

    • MD5

      d93befb933caaf737d83b0aee9577449

    • SHA1

      2524f6afd33f0b787db7251d78c4ef5b7961913a

    • SHA256

      9dc2aee4b65b09658a4412e9cd10aaf655faeb9b5500241455c0183150581e1e

    • SHA512

      8c437345af6ce2f2d37068c2fd23dc52659223dcdbe1c982ce1a4acc991c1f969c21a8d176b3327bc47c4b542ad9333dcc7f6d660c48b6bd4ef3e994e3277e12

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Collection

Data from Local System

3
T1005

Tasks