General

  • Target

    5683120798072832.zip

  • Size

    450KB

  • Sample

    210915-rvrthadhbm

  • MD5

    5e80d3b4a91f24d7cd79c29bb97f2564

  • SHA1

    e3530d2fa040b5374dfa7da22d4cc2bf3e49fd14

  • SHA256

    495b5aa5c98799441ff007eae6a312366b1dc244ba8ef3ddf23ca5ffabf584ed

  • SHA512

    075be3e2744889d5191a35fa726326f165f5add7caf69fa5cc1ed142b48664637a8b51f6dcd09734470287fd6d597b1b7d5ce6a136ba4b9af23219b193dd1072

Malware Config

Extracted

Family

vidar

Version

26.1

Botnet

237

C2

http://centos10.com/

Attributes
  • profile_id

    237

Targets

    • Target

      0c55d2f909695e522759043833539287910b717860d22f1dbc007f2055a07127

    • Size

      594KB

    • MD5

      c25627d082399616d43b9ff5c66de1df

    • SHA1

      0d31624229601b16d037e22f8a204d3701d7540a

    • SHA256

      0c55d2f909695e522759043833539287910b717860d22f1dbc007f2055a07127

    • SHA512

      ee854ed5325c8de6aa68c9a3625d0e56d37f40302f1525c31df75b273bc12c59a46bd5bd736400821596b8fe068ef12a67900abaf06dafdec98c7f891f6bca09

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • Vidar Stealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

4
T1005

Tasks