Overview

overview

10

Static

static

caec69a18e...66.exe

windows7_x64

10

caec69a18e...66.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    caec69a18e91839c1a46c79c6b55e68e14ba32ec2f2642a375870f958846fc66

  • Size

    706KB

  • Sample

    220624-2pacdafhgm

  • MD5

    105f94e56d5fc9fc7555aef13e0af78e

  • SHA1

    3bc068404a65522272c36b64cceb2adcabb04fb6

  • SHA256

    caec69a18e91839c1a46c79c6b55e68e14ba32ec2f2642a375870f958846fc66

  • SHA512

    4e9136ad3b3b5b4090668ef66e455fc24e5813789a858018022398a84f018f8d7f41573933c3aecda7689926a4d61a1a1494bc5ed81805fb5848757960e777ae

Score
10/10
vidar288discoveryspywarestealersuricata

Malware Config

Extracted

Family

vidar

Version

12.8

Botnet

288

C2

http://dersed.com/

Attributes
  • profile_id

    288

Targets

    • Target

      caec69a18e91839c1a46c79c6b55e68e14ba32ec2f2642a375870f958846fc66

    • Size

      706KB

    • MD5

      105f94e56d5fc9fc7555aef13e0af78e

    • SHA1

      3bc068404a65522272c36b64cceb2adcabb04fb6

    • SHA256

      caec69a18e91839c1a46c79c6b55e68e14ba32ec2f2642a375870f958846fc66

    • SHA512

      4e9136ad3b3b5b4090668ef66e455fc24e5813789a858018022398a84f018f8d7f41573933c3aecda7689926a4d61a1a1494bc5ed81805fb5848757960e777ae

    Score
    10/10
    vidar288discoveryspywarestealersuricata

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2

      suricata

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2

      suricata

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata

    • Vidar Stealer

      stealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Tasks