General

  • Target

    8ecc0426ea37a5c9e59d00b4fde1508175a950372ec3870965f1e527634b3419

  • Size

    245KB

  • Sample

    221019-zktt4sgcem

  • MD5

    a31f40217e8040ce00838c9a12d3c719

  • SHA1

    9743ad9f955801c191266114f393deb346f6a1ee

  • SHA256

    f94866eb730506f427a0c554f04ce88fe937313dfa5b10417738fe214ca66a0d

  • SHA512

    383f562341e419b2200142363ae41cd89c52fe05e9e2e6841b71cf1383dc18f492dc315eb39f2010fffac1733f63e06279ad7669616cd2944ea29f9ff9d0c471

  • SSDEEP

    6144:ufuNT54dWkOcSk5ZJymwiIHUSVXwnQHVVSr:ufu/4dp/53FIHUSuCVVE

Malware Config

Extracted

Family

vidar

Version

55.1

Botnet

517

C2

https://t.me/tg_privatetalk

https://nerdculture.de/@yixehi33

Attributes
  • profile_id

    517

Targets

    • Target

      8ecc0426ea37a5c9e59d00b4fde1508175a950372ec3870965f1e527634b3419

    • Size

      325KB

    • MD5

      e4e90e1dda4b51d199d449fa936db902

    • SHA1

      70de6b213f872ba782ba11cad5a5d1294ca9e741

    • SHA256

      8ecc0426ea37a5c9e59d00b4fde1508175a950372ec3870965f1e527634b3419

    • SHA512

      3958e1c40d69d5439b5e85bdb5765bb38ec5bba24f38a8aafb9a53c167ebaffb5c202441613af3f2d968c9c902de35036f67d87f7777efeb4c66869a7fc3c4ed

    • SSDEEP

      6144:neleO4eULHur41zAVbWuOcSk5ZVymwi0HUS5XwnQHEfAP+O9l:neleOzU7us1qCu/5PF0HUSyC2/W

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks