vidar

General

Target

d5a8b76a249af2b5f303b5d5161a489a5e0c54974a78a69306f4efc262a5c9f0
Size

848KB
Sample

210726-vssarhqze6
MD5

29b04c025deee623a9d0d646b2d4ec0d
SHA1

d5a86e8f9cfa1ff0da3f1d96ea5c4bd7793663f0
SHA256

d5a8b76a249af2b5f303b5d5161a489a5e0c54974a78a69306f4efc262a5c9f0
SHA512

6f062d2212c6ace3c51a9bcf84ebe7b4d8661a8bd9e762c566bcab0f576f7788be18ceba761e68c53b5db7a26c77baefb0d0fe40244c49c72ad2d77cdf6c1d2f

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

39.7

Botnet

517

C2

https://shpak125.tumblr.com/

Attributes

profile_id
517

Targets

- Target
  
  d5a8b76a249af2b5f303b5d5161a489a5e0c54974a78a69306f4efc262a5c9f0
- Size
  
  848KB
- MD5
  
  29b04c025deee623a9d0d646b2d4ec0d
- SHA1
  
  d5a86e8f9cfa1ff0da3f1d96ea5c4bd7793663f0
- SHA256
  
  d5a8b76a249af2b5f303b5d5161a489a5e0c54974a78a69306f4efc262a5c9f0
- SHA512
  
  6f062d2212c6ace3c51a9bcf84ebe7b4d8661a8bd9e762c566bcab0f576f7788be18ceba761e68c53b5db7a26c77baefb0d0fe40244c49c72ad2d77cdf6c1d2f
Score

10^/10

vidar 517 discovery persistence spyware stealer suricata
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1