General

  • Target

    7631db7895c9e909932dc8d1a925c7c0dc2c15ef383ac13a0321564ff1d33a3e

  • Size

    616KB

  • Sample

    220520-d1pz7saecm

  • MD5

    c41cf853ad0947ea32e46c8893c5adc1

  • SHA1

    2e97e5d1516faa496a1d8dcdb0f62839aa59318d

  • SHA256

    7631db7895c9e909932dc8d1a925c7c0dc2c15ef383ac13a0321564ff1d33a3e

  • SHA512

    559beca7e734ef806dfe05c2fa3e0d3a3dcc0b2af452aa39b2afbfa416f86892b166b02f41b39c0581b47511ceed8df17aae6858172087b4c2d4af28ff049c37

Malware Config

Extracted

Family

vidar

Version

8.1

Botnet

231

C2

http://oldspicebest.com/

Attributes
  • profile_id

    231

Targets

    • Target

      7631db7895c9e909932dc8d1a925c7c0dc2c15ef383ac13a0321564ff1d33a3e

    • Size

      616KB

    • MD5

      c41cf853ad0947ea32e46c8893c5adc1

    • SHA1

      2e97e5d1516faa496a1d8dcdb0f62839aa59318d

    • SHA256

      7631db7895c9e909932dc8d1a925c7c0dc2c15ef383ac13a0321564ff1d33a3e

    • SHA512

      559beca7e734ef806dfe05c2fa3e0d3a3dcc0b2af452aa39b2afbfa416f86892b166b02f41b39c0581b47511ceed8df17aae6858172087b4c2d4af28ff049c37

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    • Vidar Stealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

4
T1005

Tasks