General
-
Target
6cd2a1ef915859f2e6cfaddfcc876c98
-
Size
597KB
-
Sample
220303-d1xp2saghr
-
MD5
6cd2a1ef915859f2e6cfaddfcc876c98
-
SHA1
9c8975025e9553c08546695b98e8b6987251def2
-
SHA256
33ac0ea43c425209053f9360bd243e68deca0eb5cb4e638c6da557eb36f78935
-
SHA512
7862d7cda69e3d2c820551214caa24b96148863c3139af0406b953820554886d29741f15a4a81945e22f79039824f56c52ece0e43a55eefcca755a6cd6502a05
Static task
static1
Behavioral task
behavioral1
Sample
6cd2a1ef915859f2e6cfaddfcc876c98.exe
Resource
win7-20220223-en
Malware Config
Extracted
vidar
50.4
565
https://mastodon.online/@samsa11
https://koyu.space/@samsa2l
-
profile_id
565
Targets
-
-
Target
6cd2a1ef915859f2e6cfaddfcc876c98
-
Size
597KB
-
MD5
6cd2a1ef915859f2e6cfaddfcc876c98
-
SHA1
9c8975025e9553c08546695b98e8b6987251def2
-
SHA256
33ac0ea43c425209053f9360bd243e68deca0eb5cb4e638c6da557eb36f78935
-
SHA512
7862d7cda69e3d2c820551214caa24b96148863c3139af0406b953820554886d29741f15a4a81945e22f79039824f56c52ece0e43a55eefcca755a6cd6502a05
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-