vidar | df26b54b984ae1b94fecde99e7b0513a305164f9000929d3467a95d16e33667d | Triage

Submit
Reports

Overview

overview

Static

static

DF26B54B98...92.exe

windows7_x64

DF26B54B98...92.exe

windows10-2004_x64

Sharing

General

Target

DF26B54B984AE1B94FECDE99E7B0513A305164F900092.exe
Size

2.5MB
Sample

220531-ndpe9segbn
MD5

e0fe9226cd6652b14cc47ee7f35ae1d6
SHA1

b3de7a40c3586fe45ba1cd4e8929760d8a697250
SHA256

df26b54b984ae1b94fecde99e7b0513a305164f9000929d3467a95d16e33667d
SHA512

205e7a5f16c7b3caa4111e2949e703638655fbd2d4893932f83666da6ff247d23af72bf5953270377a59845e09104357133be76cda287808a7611421fd020de2

Score

10^/10

vidar 933 aspackv2 evasion stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

DF26B54B984AE1B94FECDE99E7B0513A305164F900092.exe

Resource

win7-20220414-en

vidar 933 aspackv2 stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

DF26B54B984AE1B94FECDE99E7B0513A305164F900092.exe

Resource

win10v2004-20220414-en

vidar 933 aspackv2 evasion stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

vidar

Version

39.7

Botnet

933

C2

https://shpak125.tumblr.com/

Attributes

profile_id
933

Targets

- Target
  
  DF26B54B984AE1B94FECDE99E7B0513A305164F900092.exe
- Size
  
  2.5MB
- MD5
  
  e0fe9226cd6652b14cc47ee7f35ae1d6
- SHA1
  
  b3de7a40c3586fe45ba1cd4e8929760d8a697250
- SHA256
  
  df26b54b984ae1b94fecde99e7b0513a305164f9000929d3467a95d16e33667d
- SHA512
  
  205e7a5f16c7b3caa4111e2949e703638655fbd2d4893932f83666da6ff247d23af72bf5953270377a59845e09104357133be76cda287808a7611421fd020de2
Score

10^/10

vidar 933 aspackv2 stealer evasion suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

vidar933aspackv2stealer

behavioral2

vidar933aspackv2evasionstealersuricatatrojan

© 2018-2024

Terms | Privacy