vidar | e3e3fab86a5f23fce4ad40791aead7f2558d164a2f40124d217fb391a926c948 | Triage

Submit
Reports

Overview

overview

Static

static

e3e3fab86a...48.exe

windows7_x64

e3e3fab86a...48.exe

windows10-2004_x64

1

Sharing

General

Target

e3e3fab86a5f23fce4ad40791aead7f2558d164a2f40124d217fb391a926c948
Size

1.7MB
Sample

220202-w4cs6abagj
MD5

43aa5bbf3c44b243538175bd312cd8af
SHA1

ba2e14ccd5c148c7571671cc0d5f5a01049c38b9
SHA256

e3e3fab86a5f23fce4ad40791aead7f2558d164a2f40124d217fb391a926c948
SHA512

77cae2b22bc8f9686d3dc0cfced72e4bb0ef81163e2cfc7e12ac88acc828742974677e8a303cb334a2eea7bc1797f434d0793609065b60e9bd6d1b1f449deb6e

Score

10^/10

vidar 1148 discovery spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

e3e3fab86a5f23fce4ad40791aead7f2558d164a2f40124d217fb391a926c948.exe

Resource

win7-en-20211208

vidar 1148 discovery spyware stealer suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

e3e3fab86a5f23fce4ad40791aead7f2558d164a2f40124d217fb391a926c948.exe

Resource

win10v2004-en-20220113

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

vidar

Version

50

Botnet

1148

C2

https://mastodon.social/@prophef6

https://noc.social/@prophef5

Attributes

profile_id
1148

Targets

- Target
  
  e3e3fab86a5f23fce4ad40791aead7f2558d164a2f40124d217fb391a926c948
- Size
  
  1.7MB
- MD5
  
  43aa5bbf3c44b243538175bd312cd8af
- SHA1
  
  ba2e14ccd5c148c7571671cc0d5f5a01049c38b9
- SHA256
  
  e3e3fab86a5f23fce4ad40791aead7f2558d164a2f40124d217fb391a926c948
- SHA512
  
  77cae2b22bc8f9686d3dc0cfced72e4bb0ef81163e2cfc7e12ac88acc828742974677e8a303cb334a2eea7bc1797f434d0793609065b60e9bd6d1b1f449deb6e
Score

10^/10

vidar 1148 discovery spyware stealer suricata
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vidar1148discoveryspywarestealersuricata

behavioral2

© 2018-2024

Terms | Privacy