vidar

Sharing

Copy URL

Twitter E-mail

General

Target

Pass_1234_Setup.rar
Size

5.9MB
Sample

221119-zhrlzaag84
MD5

9b7542d89ec9318455894b49dae880b7
SHA1

210fe64302f5ba958761120e68f62f4f8cbafbff
SHA256

cd03c9e3362a41a632378b21d7ec348f710bbb7a96274d618c72ed757491ad73
SHA512

b5254e72e848ab3712dd25a1afccc38a4bc6f4145044638a409017142c6fa2546a0d4ccb6ef3e0a004df8d6bafeca404cecfe5aed11084cc9fe875dd668d5766
SSDEEP

98304:x117egPi0SiH7vyn9UzohCag7g16fcbav8mC12eA4eVPz6NJ88NEimK5:x11vPi0f2E4icbav/A2eAh8+imu

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

55.7

Botnet

1707

https://t.me/deadftx

https://www.tiktok.com/@user6068972597711

Attributes

profile_id
1707

Targets

- Target
  
  Pass_1234_Setup.rar
- Size
  
  5.9MB
- MD5
  
  9b7542d89ec9318455894b49dae880b7
- SHA1
  
  210fe64302f5ba958761120e68f62f4f8cbafbff
- SHA256
  
  cd03c9e3362a41a632378b21d7ec348f710bbb7a96274d618c72ed757491ad73
- SHA512
  
  b5254e72e848ab3712dd25a1afccc38a4bc6f4145044638a409017142c6fa2546a0d4ccb6ef3e0a004df8d6bafeca404cecfe5aed11084cc9fe875dd668d5766
- SSDEEP
  
  98304:x117egPi0SiH7vyn9UzohCag7g16fcbav8mC12eA4eVPz6NJ88NEimK5:x11vPi0f2E4icbav/A2eAh8+imu
Score

3^/10
behavioral1 behavioral2
- Target
  
  Setup.exe
- Size
  
  434.7MB
- MD5
  
  77f320516b2a4fcd7f27aab5b9c73288
- SHA1
  
  c19aee870e95ff15c83c6e772bac5dfa868c5ac3
- SHA256
  
  f32fac7448af94fa4ecab6e98817f6533b1cf1b7f4a4f84607ce20f5baf1eeb6
- SHA512
  
  87a883ffd03a17185bc1da20aa56a729f886798663419e5271aa7494915eb4fbc09434900fbca51a0dcc5be05afff26837c324b552ee3e9ab29685acfde0c3dc
- SSDEEP
  
  98304:T4kG2qpEx+UfkiiyOd2oVF6LdeejqD0G2t6asuBk5D/+RHWBr1nk1v:ckG2X+LyBoVueiqD01nml+2rFk1v
Score

10^/10

vidar 1707 discovery evasion spyware stealer themida trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  langs/Croatian.ini
- Size
  
  105KB
- MD5
  
  8477123868f12632d652c6da5df683c2
- SHA1
  
  23dbeba17e366e1bb5e7d7be156a9be309c9555d
- SHA256
  
  5bf2b70edb78073f3ce4fe6d809a3a25c982cb2840b8ebaf4367ebc42f16bd3e
- SHA512
  
  b785f8d680f22211c01cfa59cdf86f1bfdeca0446c1c26fc2c144e3018773d22e4050c95cd513d60df9b226df31dc504b5059db168977b3949dbcc428a7ff30d
- SSDEEP
  
  768:w0VnpiuM0pY1HIlw1VoIGRweBLUab7Fno8wBtA1yR4IY52t9RM8wE4c+Tyb3TRr2:VdpiuM0pY1olaEZLUYg4c+7wvO60ll
Score

1^/10
behavioral5 behavioral6
- Target
  
  langs/Danish.ini
- Size
  
  107KB
- MD5
  
  5f50b22de0efb245cd3b8f2fb50a6d3d
- SHA1
  
  be369ffd0c47ff92b3aa5c259ab9f4d40807b687
- SHA256
  
  59df77a75aca7c0a8574f6d4b5be5632908c4fea8634f4748e36ff6fee40e317
- SHA512
  
  f3fec19409ea564bd68f4bd1253297ed8bcbe86554422a22891c61ee237f581f95f6976512e53bcabc5cafe3411343e660d3fb8f398f95f9c1efcec8eaa4367a
- SSDEEP
  
  1536:gmGRkLzUJnbfeKzcqt5G+qX59CcZEY9dHbm/c4C1CgqfRG:gmGRbnbfNRt5G+qX59CcNdX47G
Score

1^/10
behavioral7 behavioral8
- Target
  
  langs/English.ini
- Size
  
  107KB
- MD5
  
  525ce1c02ca53f9c63cb697ed3aae899
- SHA1
  
  9ddc2763d9dd663f3cb0febf0d580e21c52c2f18
- SHA256
  
  0f9d467f6bb6f682c0d1351b26038950c73720f2bfc0741ec1c7bfab2046d75f
- SHA512
  
  734d599d839b1266c42f340e044243ae30d1859d314eed7738f72f59201d19359f1ac6ee0cac8bfef4a0a2b8f2232a4f1f33336770c8c43f929c1bef162d2317
- SSDEEP
  
  1536:5S5Ybl8/lKlXiF3y24FMuRvV5I7BohUT1:xxXiVQV5uJ1
Score

1^/10
behavioral10 behavioral9
- Target
  
  langs/Finnish.ini
- Size
  
  106KB
- MD5
  
  09abf1d7277a388b362c7c94012c9655
- SHA1
  
  85b3a52814c0a4bc9b0c39550e920340f4fb2ac2
- SHA256
  
  eb6cd045c3899f7ca4a7ecd4e8211478720206b3e607ab21c22e164f4c684510
- SHA512
  
  c531f18b5516a5cd32733bd2c00be746d580805a1178971ac57316befcdd0216e906e2283690157c622f217743a10d09e1e78b82558301a95aeb80f2278d4cb0
- SSDEEP
  
  1536:+0X4yMypD2b6/lXRYpc1maOK+RJh5enKT2e2ULv387G:fMyYL5/fgG2e2UL4G
Score

1^/10
behavioral11 behavioral12
- Target
  
  langs/Hebrew.ini
- Size
  
  97KB
- MD5
  
  dbf6973ac46a0adcae8500a16cce4e48
- SHA1
  
  eae986788b33ad048f08ba722fd4eb7354212e63
- SHA256
  
  42ba655e5b635698995a588f4dd39147be867a0c4b45fd49edc65982b12b9531
- SHA512
  
  7a59fe15ac9c10caf3b3abed60201f008583684dfa476cbb9f8ad4c3f5e93d34f31dec859019f1f36d92129b2298272df5eec15be59e367cdcb77d5e89b46549
- SSDEEP
  
  768:w2kJwh+FrSb7UJTvsjkhsRGn6PqwKJTDv69ZUtiGn5Eq5lBQAjV8WEdtWfSZu/JR:zkJwh+FrScvs6Eq5uWpfSZ6KlThAd+C
Score

1^/10
behavioral13 behavioral14
- Target
  
  langs/Hungarian.ini
- Size
  
  107KB
- MD5
  
  7591df7fae4342cbc7a0706e1b28e87b
- SHA1
  
  825e88ad498e8713522f5aef3b21ee01d6fa8b41
- SHA256
  
  fe9997629d296908247a2e82da6c369e2ea7eb4c87b12fc7c8d3ecb3e6fc320d
- SHA512
  
  8f58c6fbaf5ea140a3ecbbc88cbf4bdd0e0ba3fbdf169f4b7cb831094a47a6ead103f89fc07748f91d1396ebd13c7ebcc90a316f0eb203ff4c86a50be5cd3ca4
- SSDEEP
  
  3072:UaKBsDgGod8NAH4iyf8kXrLfKgL6YhL+L3yGU:73X
Score

1^/10
behavioral15 behavioral16
- Target
  
  langs/Indonesian.ini
- Size
  
  105KB
- MD5
  
  d944d8a3551719a176db4da31733ab75
- SHA1
  
  6cf51cb43dbd7ca84334389076adbabe407d95b8
- SHA256
  
  9e52e0b1f7ec39a36e2edd0231dc98865de8524a651fcf6b1b948a575e35fd0f
- SHA512
  
  b9077bdeb69e07894c995bd519ebab594016c8077a213b29264a8040370c9841f1ad6dada2d0af595a596a3875f9c9989dc30af8e7c7b981b420cf1382d5c9a6
- SSDEEP
  
  768:wbWt5bTJA+NtkooQG+Wioa6lBT8IwUzCc0qfcLVUWf1RzVARBBfxP7KLVoeY4z9v:9bT+atkwR2AIheY4pMOy0F8gx
Score

1^/10
behavioral17 behavioral18
- Target
  
  langs/Japanese.ini
- Size
  
  91KB
- MD5
  
  36d47bfae8d0d48d56b7b1feb3b317e7
- SHA1
  
  1d8d59aa40f765319fcb70a9f49e997aca305b89
- SHA256
  
  9077b41d743ed6af51cd9b8aedaebb6d1e0e6217825635a1aa9451994efaff0f
- SHA512
  
  b510a5b17e52778b87f58aaa61f222f11c6190a988440789d1d40591aebdcc7311f7bb3bee9621ab8d971dc2de1ec6ed4d52598b3808dd689f693c3e5897f938
- SSDEEP
  
  768:wPZoCIywqTgXCaNnWYjV6UDFlv0Gaf9xS7ua6PE0FtrqGv0ZQkxKQRTM94DGNWdN:1CIywqTKnWKV5GAQkxHKUfxJYNeNx
Score

7^/10
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral19 behavioral20
- Target
  
  langs/Kazakh.ini
- Size
  
  105KB
- MD5
  
  fe2b5687f2de60cb55629fd7f0ca9a21
- SHA1
  
  5299f36a7b8c5a0b59e3603b8517cb1b3e0f2160
- SHA256
  
  1fde00989b3baeb67e6b1f8654cd2fc7216a40a4c5a5a9a64d03d47ee95e76be
- SHA512
  
  ebda06bfb42a56ed71915a1f42d84edb795927697eae51fa98bcdbac76ce6dd224c7e7610743050f45649f2d756aea82e47af3ef6ad929ddc9593d8044e3334d
- SSDEEP
  
  1536:UdBOtqJCnhr189gDXrbF3h14FMuRv5RI7EhUv1:isH/VG5Rm1
Score

1^/10
behavioral21 behavioral22
- Target
  
  langs/Korean.ini
- Size
  
  91KB
- MD5
  
  efae0c78be2abe2920c78b9d4785ab45
- SHA1
  
  8c0799fb68852cb071bbe260deb4ab357bd5f4ed
- SHA256
  
  ad556989f6e4a683d9668e41d2d7175b7b46847c2eef26188b9075fc600d0132
- SHA512
  
  44737be4d4bd0f93ca3e986c89102612932f3749b8e9b89446a567cff60ceb856b4bd7380da7fe3f1809579e6ec2162d0cdd4a217935a4961c6b36a482dd4ac8
- SSDEEP
  
  768:wPYhkzQl6qE7rY+xuPAsyKVmq8Ag8lyWqFk5ziCfsg8S+EZNlWJ7lxyBiCWfbMav:HSzQlc7siCmq8AFlBmLfbNA2Nt7osVP
Score

1^/10
behavioral23 behavioral24
- Target
  
  langs/Kurdish.ini
- Size
  
  106KB
- MD5
  
  af61b416403963d653f5008aaba82e03
- SHA1
  
  b1ab14d6ee43e1230cfcc5acfc4de27ab2a6f6b3
- SHA256
  
  94ac43cb7eb95277db44616a53b23e9174415377b4b3b98a1bdfc98d06a40a4b
- SHA512
  
  a65a21d5d9f7085acf0a96701d4577bf5fbfc0ebcb4f188ff39139b135570f95d76677e6470261aef022b75378898342ab3105704228029f90b8998f414603ab
- SSDEEP
  
  1536:rESqStTfwl/lmie4rC3DA3f1wjF7af0/KkmwL3mnJ/6BD1I:lbTNC
Score

1^/10
behavioral25 behavioral26
- Target
  
  langs/Norwegian.ini
- Size
  
  104KB
- MD5
  
  5cf9c294bd9d233d95e54e198bd8b4ab
- SHA1
  
  670de196a831bc9b0d503694b594524ccfb77b04
- SHA256
  
  1c99b7b06af0d5ac5582f00447fbe04e2325e173666cba8ce2d18678f7b31e3b
- SHA512
  
  bea2be5e1dab1854cbb83fc221f392793aa7b67a1ba1ee521c4ad0aaea671bbbda868d57b3b226cc713eaf9f90bd9fc05b3166353d78c532a43111349159ac7c
- SSDEEP
  
  3072:/Tu1PWiYzr8Z2GIBpLkQXtgpE7ZrB2kyC+3HX:0
Score

1^/10
behavioral27 behavioral28
- Target
  
  langs/SimpChinese.ini
- Size
  
  86KB
- MD5
  
  7aad044a68d89d8bb5a202f8bc69d87c
- SHA1
  
  e20ca69d6f4d1612dc4457612a4b5e4808470bf3
- SHA256
  
  1bfa864f7012e64f5c1656fc5636ea29e87e2a45b5eb2c31a3b20643fdd8ad4d
- SHA512
  
  1fe22968bcba141229d8a4d36f8a7d300e44e76ea701d6a07430854567d15c8b8ebaaacb646d038a89273414c5b2a48562407ca31ac9c75e1e22fece73686625
- SSDEEP
  
  1536:SXm7cLrzWFubvgkOvAbGCgjhRrERD+0xs3sqPHGUt471J2BZIn:8FKNPHGVt
Score

1^/10
behavioral29 behavioral30
- Target
  
  langs/Sinhala.ini
- Size
  
  106KB
- MD5
  
  318ee9a93c4620940f88052b904f05ce
- SHA1
  
  a5574f778537ce085d53c3fc52299b3049da2371
- SHA256
  
  b6fad3bf2adba7c77641ee1a17ff4cd9e5e9b14bac1b855346c91a286e517504
- SHA512
  
  054c1e0322a170b83273a5c253eeb9ffc107056c555ca470d19dbdefc7d68c822d67576fd9333cf5b17357878dc6147a3d1367219db48b2b10e9bd915e806e52
- SSDEEP
  
  1536:Run1VCXWZTr/lOPoMHjYMgr5xU1Jdr/pSnE8EtwO5vrzAKnUs2:RungtoMHjYMgrgJqE8EqOxzus2
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unexpected DNS network traffic destination

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32