vidar

General

Target

415383d2e7a7a338c2775d895a3e15b87b80be3d1889c32e74b58235f2c6218d
Size

1.5MB
Sample

220116-jnayeaffck
MD5

aa8e73e7c3be2c759ce76e2376aa8c7c
SHA1

e94188e4ceb1ae9d124eb60111808d7969e4e249
SHA256

415383d2e7a7a338c2775d895a3e15b87b80be3d1889c32e74b58235f2c6218d
SHA512

911b5053681a18816147e32b2e04602021592d56040ea914a8d73910f60660f39af9ae3bc8d336d1fe6a7e952d5cb257ddeac9123b2aa0a47762d05bb9cb386d

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

49.6

Botnet

1120

C2

https://noc.social/@banda5ker

https://mastodon.social/@banda6ker

Attributes

profile_id
1120

Targets

- Target
  
  415383d2e7a7a338c2775d895a3e15b87b80be3d1889c32e74b58235f2c6218d
- Size
  
  1.5MB
- MD5
  
  aa8e73e7c3be2c759ce76e2376aa8c7c
- SHA1
  
  e94188e4ceb1ae9d124eb60111808d7969e4e249
- SHA256
  
  415383d2e7a7a338c2775d895a3e15b87b80be3d1889c32e74b58235f2c6218d
- SHA512
  
  911b5053681a18816147e32b2e04602021592d56040ea914a8d73910f60660f39af9ae3bc8d336d1fe6a7e952d5cb257ddeac9123b2aa0a47762d05bb9cb386d
Score

10^/10

vidar 1120 discovery evasion spyware stealer suricata trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1