Overview

overview

10

Static

static

Setup.exe

windows10-2004_x64

10

docs/userguide.pdf

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FiIe_Pass_1234.zip

  • Size

    5.3MB

  • Sample

    220429-j42fasebcm

  • MD5

    a544dfafbde1de3af68332f7f986299b

  • SHA1

    524c398bda11c10a7b6e5b386c0a215f0d8950d1

  • SHA256

    6457b347282528348505ac857ed020eea39d8a52ad904a73cb86909fd9eb0eff

  • SHA512

    1ea0e9afdf1e7f71deb842824cb780f672e67eab280c075d220c270c3b708adf6beab938244e018fd9e6b036f1eea369ee4d3e6ff2150c51db824f984d85d389

Score
10/10
vidar1281discoveryevasionspywarestealersuricatatrojan

Malware Config

Extracted

Family

vidar

Version

51.9

Botnet

1281

C2

https://koyu.space/@ronxik123

Attributes
  • profile_id

    1281

Targets

    • Target

      Setup.exe

    • Size

      335.3MB

    • MD5

      e9a3562f3851dd2dba27f90b5b2d15c0

    • SHA1

      98be930c6674cc31c9cf7efb656f7fadb320a273

    • SHA256

      e600b8ef36477ed37d924b1ba8deaadeab3275392ba0accd6329a11542adbaad

    • SHA512

      0cca077c8d12d7122b89dc1e6c60e13730e387fb194e6df6d64ae1ec9eb680d98251951d8a06d59c356d6c643fe9589be7ed22187306c47a15af8d5bf1e80740

    Score
    10/10
    vidar1281discoveryevasionspywarestealersuricatatrojan

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

      suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      docs/userguide.pdf

    • Size

      1.6MB

    • MD5

      de0ece964c20ce9316f17874e2ef4b8b

    • SHA1

      3b3b02d59b636b3f789d5af88eadd63ac9af5d0e

    • SHA256

      73f0f8c4e621295960fa697188ce37c8332d62f8f0e1946913fb82ed4640cc51

    • SHA512

      5471b4f3c721ab9c4038b23e1d41051565cd7acea998f2a9ef169f9f6c4f72ead98b65d2f785decb2278ccac0d438249c8441955336c9cf48dd0327aad38fef0

    Score
    1/10
    behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks