Resubmissions

22-04-2022 11:52

220422-n1tcqscad7 10

19-04-2022 14:05

220419-rdt8asfbg5 7

General

  • Target

    bc4d1e8e09905b7dd1d4b14ae7ba3b100e1baa7aeb567e225107d4439da03403

  • Size

    635KB

  • Sample

    220422-n1tcqscad7

  • MD5

    ebfb5ded5dc595e22ee02b08597b93eb

  • SHA1

    8c33736b8b3dc750027ef49b1059d5d3a231182a

  • SHA256

    bc4d1e8e09905b7dd1d4b14ae7ba3b100e1baa7aeb567e225107d4439da03403

  • SHA512

    e74d3f71ece40008cdcb7bcdfc6547ca406e4fb3fd3048177648d0ae906ad11223412963ee6b2b3ebe70a14006bc4ddb9d387b129a4f27fd34c4e8a9f5afdead

Malware Config

Extracted

Family

vidar

Version

51.7

Botnet

977

C2

https://t.me/hi20220412

https://noc.social/@samal6

Attributes
  • profile_id

    977

Targets

    • Target

      bc4d1e8e09905b7dd1d4b14ae7ba3b100e1baa7aeb567e225107d4439da03403

    • Size

      635KB

    • MD5

      ebfb5ded5dc595e22ee02b08597b93eb

    • SHA1

      8c33736b8b3dc750027ef49b1059d5d3a231182a

    • SHA256

      bc4d1e8e09905b7dd1d4b14ae7ba3b100e1baa7aeb567e225107d4439da03403

    • SHA512

      e74d3f71ece40008cdcb7bcdfc6547ca406e4fb3fd3048177648d0ae906ad11223412963ee6b2b3ebe70a14006bc4ddb9d387b129a4f27fd34c4e8a9f5afdead

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar Stealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks