General
-
Target
TpmVhvATwSgr3krs5olUO9wY.exe
-
Size
661KB
-
Sample
210903-qech7sgcfr
-
MD5
78c06b9a03f2d8fcb86e7e0a8cedb5da
-
SHA1
2f44713c28754eeef871ccbbd9e8784dd145d5f8
-
SHA256
aa12ad772adf47f16f71cd07714ee02ed1fddab1fa80551d6dbc5d50589aebfc
-
SHA512
7e9447aa24927deeb094c0211b1cd0302bf3479e53ac225e8c4fb9bc68905ae645b3ce3e11cad2b9c54a5811f2615235bff2ce00d1b0b328ae532fda9720c771
Static task
static1
Behavioral task
behavioral1
Sample
TpmVhvATwSgr3krs5olUO9wY.exe
Resource
win7v20210408
Malware Config
Extracted
vidar
40.4
937
https://romkaxarit.tumblr.com/
-
profile_id
937
Targets
-
-
Target
TpmVhvATwSgr3krs5olUO9wY.exe
-
Size
661KB
-
MD5
78c06b9a03f2d8fcb86e7e0a8cedb5da
-
SHA1
2f44713c28754eeef871ccbbd9e8784dd145d5f8
-
SHA256
aa12ad772adf47f16f71cd07714ee02ed1fddab1fa80551d6dbc5d50589aebfc
-
SHA512
7e9447aa24927deeb094c0211b1cd0302bf3479e53ac225e8c4fb9bc68905ae645b3ce3e11cad2b9c54a5811f2615235bff2ce00d1b0b328ae532fda9720c771
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Vidar Stealer
-
Downloads MZ/PE file
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-