General

  • Target

    10084850b03a65bc94899e41680e6207ab71c6b96a7bf65f6086fbba41cc7b5c

  • Size

    1004KB

  • Sample

    220604-qzz51ahfd5

  • MD5

    d9160e846a7dd1f58b972a5550999999

  • SHA1

    e469d8d8cfb0229debf5b978c12fec6d4732d080

  • SHA256

    10084850b03a65bc94899e41680e6207ab71c6b96a7bf65f6086fbba41cc7b5c

  • SHA512

    f91d667a89311b035d6044e9b9e4e1f73160f8528a44ccb3f6b3a8352541339787e4e9e5f9b06b584caf4c5fbc2484a4a9d5e6fad4e9c9389d60ee6e0d2c93a8

Malware Config

Extracted

Family

vidar

Version

16

Botnet

237

C2

http://crarepo.com/

Attributes
  • profile_id

    237

Targets

    • Target

      10084850b03a65bc94899e41680e6207ab71c6b96a7bf65f6086fbba41cc7b5c

    • Size

      1004KB

    • MD5

      d9160e846a7dd1f58b972a5550999999

    • SHA1

      e469d8d8cfb0229debf5b978c12fec6d4732d080

    • SHA256

      10084850b03a65bc94899e41680e6207ab71c6b96a7bf65f6086fbba41cc7b5c

    • SHA512

      f91d667a89311b035d6044e9b9e4e1f73160f8528a44ccb3f6b3a8352541339787e4e9e5f9b06b584caf4c5fbc2484a4a9d5e6fad4e9c9389d60ee6e0d2c93a8

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    • Vidar Stealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

4
T1005

Tasks