Overview

overview

10

Static

static

Software Y...64.exe

windows7-x64

10

Software Y...64.exe

windows10-2004-x64

10

Software Y...oid.py

windows7-x64

3

Software Y...oid.py

windows10-2004-x64

3

Software Y...ple.py

windows7-x64

3

Software Y...ple.py

windows10-2004-x64

3

Software Y...per.py

windows7-x64

3

Software Y...per.py

windows10-2004-x64

3

Software Y...ple.py

windows7-x64

3

Software Y...ple.py

windows10-2004-x64

3

Software Y...top.py

windows7-x64

3

Software Y...top.py

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Software_Yuki.zip

  • Size

    1.4MB

  • Sample

    221111-gdfd2abear

  • MD5

    d8edde8e242fe61b58265c6a326ea435

  • SHA1

    d8c50123a7d8bae21fbf1a826a06f6534f00039f

  • SHA256

    19857840331c8cc15dca34f5ad42c9d413cedfa307707d9c3764f2e7b43fc500

  • SHA512

    23a1ba690541d4d976407a120fe65cf9525409a1590750cfec821e41669d657fd56d89b2fac33f15dc93715d3477b467a5db0081159252038c0e3c3b348ff687

  • SSDEEP

    24576:FAFUwIND8EcBD1YjTqnw4UFlxYYitUEoiIlPchl4itVnjLWibSm0Mus:FOai0jGSwzslPYl/uAz0fs

Score
10/10
vidar1325discoveryspywarestealerupx

Malware Config

Extracted

Family

vidar

Version

55.6

Botnet

1325

C2

https://t.me/seclab_new

https://koyu.space/@ofade
Attributes
  • profile_id

    1325

Targets

    • Target

      Software Yuki/Set_Yuki_x64.exe

    • Size

      686.6MB

    • MD5

      3086921f1e7c9f7156ccbc08c9fa25a2

    • SHA1

      80e78e6e4a9427729c977e30ee2cc84813542092

    • SHA256

      2e2495ef2e8166ecf1015d54972ad676cf3deb5b8b0f32f434dfda48205b87ab

    • SHA512

      81e2a221f6070bc255d53e3c4d09b6c681810d977d2d86e6f0f6758f59664bd5e158c3367b6b5ef2232c3f3f7016a02e18069ce06fd7c34817a8020e9ecac622

    • SSDEEP

      24576:uv66t3q/zhIYCpnviF18f5xn/T8BlnpvgSHhD:JsqlRuxn/T8j6s

    Score
    10/10
    vidar1325discoveryspywarestealerupx

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

    • Target

      Software Yuki/SoftwareDataDebug/examples/android.py

    • Size

      542B

    • MD5

      9d06948472ef50cae816f2bc396572b9

    • SHA1

      d7077b7370b6aa96de197556dad73fa42bc9cde5

    • SHA256

      cd7fbe2d691ea6ebfec63a55408a7266c26ce467650d39cd43924b05ed681e2b

    • SHA512

      0acf8fb10c7705e6eedf03b6e9ae19fa23983f9505fee4c7e7495d2f74405b6b86cd1e7fd205c655fe561207b3ffa6d66b5ca3466642eb667df78b199678a0dc

    Score
    3/10
    behavioral3behavioral4

    • Target

      Software Yuki/SoftwareDataDebug/examples/appium_example.py

    • Size

      2KB

    • MD5

      ea74819618a051e2536f122af645a599

    • SHA1

      ebad572761ef4afd27f8f5f93f490836e57b8043

    • SHA256

      a39c82e31d8fc14571cdb84ac06db6e27f338bfa5c6e7532e4bb1363391fc5cf

    • SHA512

      44db269a386891df12e44a4f04c6312b0c996625692a15e3b961bbc5d7adaff2001718ba641b9b17d514495091a40bb47cf7a686cf4b188188d3601ea59079f9

    Score
    3/10
    behavioral5behavioral6

    • Target

      Software Yuki/SoftwareDataDebug/examples/appium_helper.py

    • Size

      2KB

    • MD5

      9e15789e5707991cb0089c95c5a540fe

    • SHA1

      544e4c2d8d9d1f4c70d9652d8315c9e6918cbaf0

    • SHA256

      567310f70edc643667c4e1dd4bfc37377283f49b1176460fa6bfe5e99fb3c66c

    • SHA512

      cc4c7f05772715615fe31022a0491641ba75af71deefe6da6a299dc0c41f68987deb7fc99e9a07713b416060030316ee97a39e60a754ff51ded00d20294e7419

    Score
    3/10
    behavioral7behavioral8

    • Target

      Software Yuki/SoftwareDataDebug/examples/appium_simple.py

    • Size

      1KB

    • MD5

      db02d17fe9c460c8ddfe35e227d3c0d1

    • SHA1

      729e66d40e35a2614e5955ce25367b44004a1693

    • SHA256

      530150a40470a6ab4f3cc7a85b5e1b47b1c6e60fa0331780b9b03bc7846e29ad

    • SHA512

      963ab8ec6fb2f710ab26c31992a54d1db0877b658a12d8a8bff4bd2e004e1d7d329907d58bd26ff06d507944a8ee1cdbd2e54b5260cdbff030c591aaf06ea033

    Score
    3/10
    behavioral10behavioral9

    • Target

      Software Yuki/SoftwareDataDebug/examples/desktop.py

    • Size

      438B

    • MD5

      590b81e3bad1a80c955c3604e7db73eb

    • SHA1

      a09783cb6addff207a4edff0be058417f6b769de

    • SHA256

      ebe2c5d92dc865fc03252506aa80e914c94f7b8a9d020541794e44adb94ac2d7

    • SHA512

      193c41a5327a800e7a950b20cf312213b395b6ca692f707c3f6e3bf12ca026144deee3c6058c304c5644643c1847103b984859c6ae085d9ca96eafd8c9274968

    Score
    3/10
    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

8
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks