General

  • Target

    1f2205ec9f11bfba6d97ac92fd3b960a5697e27d867a74c3d7ba47d2a338e64c

  • Size

    146KB

  • Sample

    221005-3gywfafhg4

  • MD5

    3054e51f328957b83a472c3fb5ca02e4

  • SHA1

    a592671a0792c56b46b14193c21722e34871a4e9

  • SHA256

    1f2205ec9f11bfba6d97ac92fd3b960a5697e27d867a74c3d7ba47d2a338e64c

  • SHA512

    d5129204fe6739dfe56e3150728f62c56768ed3d3d8efa6a1bc85e5cd138dc3ea405114baaa0546b1cf44516923c1639e3834d7cff7dc0422bddce196a161bb8

  • SSDEEP

    3072:eYJv+XW9hfTdCohCaVE88na+wYka1QgwrO:B5YeEypVEFgYka+gY

Malware Config

Extracted

Family

vidar

Version

54.9

Botnet

1681

C2

https://t.me/larsenup

https://ioc.exchange/@zebra54

Attributes
  • profile_id

    1681

Targets

    • Target

      1f2205ec9f11bfba6d97ac92fd3b960a5697e27d867a74c3d7ba47d2a338e64c

    • Size

      146KB

    • MD5

      3054e51f328957b83a472c3fb5ca02e4

    • SHA1

      a592671a0792c56b46b14193c21722e34871a4e9

    • SHA256

      1f2205ec9f11bfba6d97ac92fd3b960a5697e27d867a74c3d7ba47d2a338e64c

    • SHA512

      d5129204fe6739dfe56e3150728f62c56768ed3d3d8efa6a1bc85e5cd138dc3ea405114baaa0546b1cf44516923c1639e3834d7cff7dc0422bddce196a161bb8

    • SSDEEP

      3072:eYJv+XW9hfTdCohCaVE88na+wYka1QgwrO:B5YeEypVEFgYka+gY

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Tasks