General

  • Target

    64fbd49f6c58bb38c5d55d3644f78f55163caa81b8a56dcf15486c5bda6a2f5c

  • Size

    542KB

  • Sample

    220520-fca79adccl

  • MD5

    293e517ba368609f2fd93e705dbc2bf2

  • SHA1

    89b03ee0010418257e6c9a2fd11a69de2d3c6f11

  • SHA256

    64fbd49f6c58bb38c5d55d3644f78f55163caa81b8a56dcf15486c5bda6a2f5c

  • SHA512

    e1932ff365569a0b0e368d7dcf0c46c30cf0db6e0956f5aca97d3d511cd1a7b7459eee98c6220fcff6d1970b3189565277a3c1dbaf22f8f3b198c0bcdcdeb719

Malware Config

Extracted

Family

vidar

Version

29.8

Botnet

517

C2

http://sastabiak.com/

Attributes
  • profile_id

    517

Targets

    • Target

      64fbd49f6c58bb38c5d55d3644f78f55163caa81b8a56dcf15486c5bda6a2f5c

    • Size

      542KB

    • MD5

      293e517ba368609f2fd93e705dbc2bf2

    • SHA1

      89b03ee0010418257e6c9a2fd11a69de2d3c6f11

    • SHA256

      64fbd49f6c58bb38c5d55d3644f78f55163caa81b8a56dcf15486c5bda6a2f5c

    • SHA512

      e1932ff365569a0b0e368d7dcf0c46c30cf0db6e0956f5aca97d3d511cd1a7b7459eee98c6220fcff6d1970b3189565277a3c1dbaf22f8f3b198c0bcdcdeb719

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    • Vidar Stealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

4
T1005

Tasks