General

  • Target

    efd055ee7d3d09c7211dd6aceef64f42ff62d01edf0105d06d77d0b92411bedc

  • Size

    771KB

  • Sample

    210721-zrdp5q97qe

  • MD5

    38911964dcd075508c459254ad27517d

  • SHA1

    22c468c8d5efd3a5950ff1b28dbfa47b0a42f842

  • SHA256

    efd055ee7d3d09c7211dd6aceef64f42ff62d01edf0105d06d77d0b92411bedc

  • SHA512

    8e5cce82d2e222bf1fef8027533a17564041206d29611192cfe65c2a194a2bf8aa0be4d9414672a4361b43ec091d070267df6d806b932d96a9c2a6e292740971

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

517

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    517

Targets

    • Target

      efd055ee7d3d09c7211dd6aceef64f42ff62d01edf0105d06d77d0b92411bedc

    • Size

      771KB

    • MD5

      38911964dcd075508c459254ad27517d

    • SHA1

      22c468c8d5efd3a5950ff1b28dbfa47b0a42f842

    • SHA256

      efd055ee7d3d09c7211dd6aceef64f42ff62d01edf0105d06d77d0b92411bedc

    • SHA512

      8e5cce82d2e222bf1fef8027533a17564041206d29611192cfe65c2a194a2bf8aa0be4d9414672a4361b43ec091d070267df6d806b932d96a9c2a6e292740971

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar Stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks