General

  • Target

    784d1f5c2ef013a0523ca0616f62698d.exe

  • Size

    2.4MB

  • Sample

    210827-rpwn7tbaga

  • MD5

    784d1f5c2ef013a0523ca0616f62698d

  • SHA1

    e4c76b676705a8ffcecb6fc8a9c2424300c9bd6c

  • SHA256

    598d944c8f0ef8d8536487bb9b62ff8fbf6758b37da5132e17fb31e07acddc65

  • SHA512

    3d08427e5fa3bf1cc31d0e8b97564c977ae8ea74afb5c3b2d87e36c63213148a85d84cd4a6f4a3d694459a79474f370b9cd131469f6a57e6c6ff6683038d7998

Malware Config

Extracted

Family

vidar

Version

40.1

Botnet

921

C2

https://eduarroma.tumblr.com/

Attributes
  • profile_id

    921

Targets

    • Target

      784d1f5c2ef013a0523ca0616f62698d.exe

    • Size

      2.4MB

    • MD5

      784d1f5c2ef013a0523ca0616f62698d

    • SHA1

      e4c76b676705a8ffcecb6fc8a9c2424300c9bd6c

    • SHA256

      598d944c8f0ef8d8536487bb9b62ff8fbf6758b37da5132e17fb31e07acddc65

    • SHA512

      3d08427e5fa3bf1cc31d0e8b97564c977ae8ea74afb5c3b2d87e36c63213148a85d84cd4a6f4a3d694459a79474f370b9cd131469f6a57e6c6ff6683038d7998

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • Vidar Stealer

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Tasks