Overview

overview

10

Static

static

0x00050000...at.exe

windows7_x64

10

0x00050000...at.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0x000500000001abb1-152.dat

  • Size

    674KB

  • Sample

    211028-w87t4agghq

  • MD5

    e6904455750065e6351626c373eba2bb

  • SHA1

    e2917ff943628d8e9a715c1fadf20688d3e6396e

  • SHA256

    18d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010

  • SHA512

    838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878

Score
10/10
vidar754discoveryspywarestealersuricata

Malware Config

Extracted

Family

vidar

Version

41.6

Botnet

754

C2

https://mas.to/@lilocc

Attributes
  • profile_id

    754

Targets

    • Target

      0x000500000001abb1-152.dat

    • Size

      674KB

    • MD5

      e6904455750065e6351626c373eba2bb

    • SHA1

      e2917ff943628d8e9a715c1fadf20688d3e6396e

    • SHA256

      18d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010

    • SHA512

      838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878

    Score
    10/10
    vidar754stealerdiscoveryspywaresuricata

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks