General

  • Target

    98ee19dbbe959081f2d95b7f56af58fcb7ecdc5b85bb9ee13775376b9bad1ccf

  • Size

    1.3MB

  • Sample

    211013-xl2v1afaf4

  • MD5

    f9e6e88eb092ccd7e4b8626cba905657

  • SHA1

    5fc08c1200531073b5484dd40f72c9c6c651f748

  • SHA256

    98ee19dbbe959081f2d95b7f56af58fcb7ecdc5b85bb9ee13775376b9bad1ccf

  • SHA512

    e399ac991b643f7ae3264c71cfc3e20eeff52adb53e5c6b12fee6c29d6e4523bc768553883ec6767811a2bf1744cb2773b4c804a9ee7c9c163274ecfa109fa74

Malware Config

Extracted

Family

vidar

Version

41.3

Botnet

921

C2

https://mas.to/@oleg98

Attributes
  • profile_id

    921

Targets

    • Target

      98ee19dbbe959081f2d95b7f56af58fcb7ecdc5b85bb9ee13775376b9bad1ccf

    • Size

      1.3MB

    • MD5

      f9e6e88eb092ccd7e4b8626cba905657

    • SHA1

      5fc08c1200531073b5484dd40f72c9c6c651f748

    • SHA256

      98ee19dbbe959081f2d95b7f56af58fcb7ecdc5b85bb9ee13775376b9bad1ccf

    • SHA512

      e399ac991b643f7ae3264c71cfc3e20eeff52adb53e5c6b12fee6c29d6e4523bc768553883ec6767811a2bf1744cb2773b4c804a9ee7c9c163274ecfa109fa74

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar Stealer

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Tasks