General

  • Target

    16392aff3e3d431b88c986092e59ee3e.exe

  • Size

    537KB

  • Sample

    210727-2a7fblwhds

  • MD5

    16392aff3e3d431b88c986092e59ee3e

  • SHA1

    d6bc54ace7185f1dd448d4e51ab13f1cd7172711

  • SHA256

    fd1ccacb667af6c1bb28bbfa7da1729407f873d3e69c28d8cc933af562e95624

  • SHA512

    89eb197f9b5581fe1638415b76a21b6dfd716923b39b941668649c47e2d3cc2553220a4606a63b2615946fc4e81f0f96ebd1a72f6ebebdce669fec05845b7057

Malware Config

Extracted

Family

vidar

Version

39.7

Botnet

313

C2

https://shpak125.tumblr.com/

Attributes
  • profile_id

    313

Targets

    • Target

      16392aff3e3d431b88c986092e59ee3e.exe

    • Size

      537KB

    • MD5

      16392aff3e3d431b88c986092e59ee3e

    • SHA1

      d6bc54ace7185f1dd448d4e51ab13f1cd7172711

    • SHA256

      fd1ccacb667af6c1bb28bbfa7da1729407f873d3e69c28d8cc933af562e95624

    • SHA512

      89eb197f9b5581fe1638415b76a21b6dfd716923b39b941668649c47e2d3cc2553220a4606a63b2615946fc4e81f0f96ebd1a72f6ebebdce669fec05845b7057

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • Vidar Stealer

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Tasks