General

  • Target

    file.exe

  • Size

    365KB

  • Sample

    221106-sfkx3sgdd8

  • MD5

    4f079611c829965b37599ab3eacf1d5b

  • SHA1

    e811577cd81fb79ca1f4329c19e97205725d32c3

  • SHA256

    22a1d7e1b13a129f516a25f8f640cf744c1b37f1263bef3a1e02d99182e2dc25

  • SHA512

    8b0d475825aaa266e1ce079e6c678a2d3f52ac4f1937e6bb9c419ba631f032198ea4e99f0df19b517d26b86bc8ae3e775ec5451b834410cd5406f755e54fdf78

  • SSDEEP

    3072:FpWpzUiBWPd6A5LxF2J5XE1dd/1IGTKCVQLN7NdS7oT71I5xz0efVL6lfqEYGdQu:bZig4aL2J5X0d1TWN767EWb0e4kueT

Malware Config

Extracted

Family

vidar

Version

55.5

Botnet

937

C2

https://t.me/tg_turgay

https://ioc.exchange/@xiteb15011

Attributes
  • profile_id

    937

Targets

    • Target

      file.exe

    • Size

      365KB

    • MD5

      4f079611c829965b37599ab3eacf1d5b

    • SHA1

      e811577cd81fb79ca1f4329c19e97205725d32c3

    • SHA256

      22a1d7e1b13a129f516a25f8f640cf744c1b37f1263bef3a1e02d99182e2dc25

    • SHA512

      8b0d475825aaa266e1ce079e6c678a2d3f52ac4f1937e6bb9c419ba631f032198ea4e99f0df19b517d26b86bc8ae3e775ec5451b834410cd5406f755e54fdf78

    • SSDEEP

      3072:FpWpzUiBWPd6A5LxF2J5XE1dd/1IGTKCVQLN7NdS7oT71I5xz0efVL6lfqEYGdQu:bZig4aL2J5X0d1TWN767EWb0e4kueT

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Tasks