General
-
Target
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882.dll
-
Size
646KB
-
Sample
220202-w4s55sbagl
-
MD5
a04d8167d9f4313b9f1e6ba38900306c
-
SHA1
3f0c0c5555707a52247b91452c75692c1f30c8b6
-
SHA256
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
-
SHA512
e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf
Static task
static1
Behavioral task
behavioral1
Sample
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882.xll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882.xll
Resource
win10v2004-en-20220113
Malware Config
Extracted
vidar
50
1131
https://mastodon.social/@prophef6
https://noc.social/@prophef5
-
profile_id
1131
Targets
-
-
Target
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882.dll
-
Size
646KB
-
MD5
a04d8167d9f4313b9f1e6ba38900306c
-
SHA1
3f0c0c5555707a52247b91452c75692c1f30c8b6
-
SHA256
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
-
SHA512
e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-