General

  • Target

    f97fec52523e2721a7afa7cbdc2312ad

  • Size

    658KB

  • Sample

    210906-w3q96abda5

  • MD5

    f97fec52523e2721a7afa7cbdc2312ad

  • SHA1

    f166717aa23b9a15f24cd35dcab18b8418772c69

  • SHA256

    043c25b04ea964e42dc0806c735f701fd1365f8451329a0f41d2ab707cc70e8c

  • SHA512

    894de7cea9b3f22437d249861049d51d1d760011f6f0fd4ae5bdc63c9aef01d9f4ae679738fc8c09a0973a0d04dfcb1c94969129d4183606e44606138191fd3d

Malware Config

Extracted

Family

vidar

Version

40.4

Botnet

921

C2

https://romkaxarit.tumblr.com/

Attributes
  • profile_id

    921

Targets

    • Target

      f97fec52523e2721a7afa7cbdc2312ad

    • Size

      658KB

    • MD5

      f97fec52523e2721a7afa7cbdc2312ad

    • SHA1

      f166717aa23b9a15f24cd35dcab18b8418772c69

    • SHA256

      043c25b04ea964e42dc0806c735f701fd1365f8451329a0f41d2ab707cc70e8c

    • SHA512

      894de7cea9b3f22437d249861049d51d1d760011f6f0fd4ae5bdc63c9aef01d9f4ae679738fc8c09a0973a0d04dfcb1c94969129d4183606e44606138191fd3d

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar Stealer

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Tasks