vidar

Sharing

Copy URL

Twitter E-mail

General

Target

animal99.zip
Size

7.3MB
Sample

221010-k35a8sbcg2
MD5

19f483ec45815b6b8126726d293b7f56
SHA1

13ea5e6d96a5057eaa18ddd99c134a3df7a7a6be
SHA256

a7cfbd37b35ccc452c4dd1f5519d21bbd7256b92257662c3ea861899cd5b60c1
SHA512

6f7907f02c0a3d085b938902e80e256a19ced2639613a1aa4d95dd42ee42090db88351a96544b6033aaf5b7630d908e6c447a010a6f68a5373569fc988d89144
SSDEEP

196608:hVK97KDtL1ReKOOlH8NUtRHbl4feiJ4b6V0cckI5MxaqNP:hqGDt5RezEH82rp4fB4b6uQb

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

54.9

Botnet

1142

https://t.me/larsenup

https://ioc.exchange/@zebra54

Attributes

profile_id
1142

Targets

- Target
  
  animal99.zip
- Size
  
  7.3MB
- MD5
  
  19f483ec45815b6b8126726d293b7f56
- SHA1
  
  13ea5e6d96a5057eaa18ddd99c134a3df7a7a6be
- SHA256
  
  a7cfbd37b35ccc452c4dd1f5519d21bbd7256b92257662c3ea861899cd5b60c1
- SHA512
  
  6f7907f02c0a3d085b938902e80e256a19ced2639613a1aa4d95dd42ee42090db88351a96544b6033aaf5b7630d908e6c447a010a6f68a5373569fc988d89144
- SSDEEP
  
  196608:hVK97KDtL1ReKOOlH8NUtRHbl4feiJ4b6V0cckI5MxaqNP:hqGDt5RezEH82rp4fB4b6uQb
Score

1^/10
behavioral1 behavioral2
- Target
  
  TradingView Premium portable_v.2.53.exe
- Size
  
  354.9MB
- MD5
  
  20ff4975e511cc5bf72ed3cb77146172
- SHA1
  
  62ed1b7346e456a34a6812bd7ed3c3746c2870bc
- SHA256
  
  bc3c8a31f944e92035a1d7ed1d6fab1bff723b1dd4f17e9bfeb20b25f19b316b
- SHA512
  
  e63eb32fc57729140eadd19a9b918d8019c24202a0883358e80d82ea99793e77e1eb8f7054657cd03b11664def1ebe94d8a5bbeaff123ae4fd52dbce31869730
- SSDEEP
  
  196608:66pHOtwZjreSOmXxiNsvdnHB8l0wnmvuV0Koku/MNkb:rutwJrerWxie9h8lvmvuuGU
Score

10^/10

vidar 1142 discovery evasion spyware stealer trojan vmprotect
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  langs/Hungarian.ini
- Size
  
  107KB
- MD5
  
  7591df7fae4342cbc7a0706e1b28e87b
- SHA1
  
  825e88ad498e8713522f5aef3b21ee01d6fa8b41
- SHA256
  
  fe9997629d296908247a2e82da6c369e2ea7eb4c87b12fc7c8d3ecb3e6fc320d
- SHA512
  
  8f58c6fbaf5ea140a3ecbbc88cbf4bdd0e0ba3fbdf169f4b7cb831094a47a6ead103f89fc07748f91d1396ebd13c7ebcc90a316f0eb203ff4c86a50be5cd3ca4
- SSDEEP
  
  3072:UaKBsDgGod8NAH4iyf8kXrLfKgL6YhL+L3yGU:73X
Score

1^/10
behavioral5 behavioral6
- Target
  
  langs/Korean.ini
- Size
  
  91KB
- MD5
  
  efae0c78be2abe2920c78b9d4785ab45
- SHA1
  
  8c0799fb68852cb071bbe260deb4ab357bd5f4ed
- SHA256
  
  ad556989f6e4a683d9668e41d2d7175b7b46847c2eef26188b9075fc600d0132
- SHA512
  
  44737be4d4bd0f93ca3e986c89102612932f3749b8e9b89446a567cff60ceb856b4bd7380da7fe3f1809579e6ec2162d0cdd4a217935a4961c6b36a482dd4ac8
- SSDEEP
  
  768:wPYhkzQl6qE7rY+xuPAsyKVmq8Ag8lyWqFk5ziCfsg8S+EZNlWJ7lxyBiCWfbMav:HSzQlc7siCmq8AFlBmLfbNA2Nt7osVP
Score

1^/10
behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

VMProtect packed file

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8