vidar

General

Target

MDE_File_Sample_ab2ef595f1feb7747b25b9ea678f46d2178c118a.zip
Size

6.8MB
Sample

221121-kq91ysfe9y
MD5

fb3e914de1655102f2a79aa940fefdbf
SHA1

767773229455784043923d9dc396bf8ecf3277fa
SHA256

3902df7af163de99d0aaf60e70b2b130a34da3267727f7c6eb53086933f9da1e
SHA512

92b6e0d7bb0afd6c8c0c33954f8ed9d16e92f3fbe5195b0158490a867f74660f3bd525a9b2ed8b47f94044bcd6e015ab5bdb8519dce1b647b1330f513c86c57e
SSDEEP

98304:FN74oXjgzv23q/dlfTBRZhgiBqDmslrrHh2ZtWrl9DdxjeTbXLxbQ9A8M6i8i:L74oa19BJdB4rprk2VqxbQ9DM6xi

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

55.7

Botnet

1142

C2

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

Attributes

profile_id
1142

Targets

- Target
  
  10% For 10 Trading days (Guide).exe
- Size
  
  407.7MB
- MD5
  
  1df3b3be200a14527ca67c70cf886ddf
- SHA1
  
  2f9c1cdba64f514b1789d082e6b4fa01282ffd13
- SHA256
  
  8008b65e514cec030bd3091ee4b030503617e7a258b8ad3777d6c4debc766451
- SHA512
  
  6a7e29a46e6d403e6fb90c3bfa6948224b16d64de001627eb14ca6e549c272b7abfdd0b85f6c001470283a1e2ac00fbb8b62a85b52328b054ba4ca773791f0ad
- SSDEEP
  
  196608:j5akJDWPYlxPWoERlH1AEqijVpHeePmSh:hJDoY/WflH1AnijXPZ
Score

10^/10

vidar 1142 discovery evasion spyware stealer themida trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  langs/Hungarian.ini
- Size
  
  107KB
- MD5
  
  7591df7fae4342cbc7a0706e1b28e87b
- SHA1
  
  825e88ad498e8713522f5aef3b21ee01d6fa8b41
- SHA256
  
  fe9997629d296908247a2e82da6c369e2ea7eb4c87b12fc7c8d3ecb3e6fc320d
- SHA512
  
  8f58c6fbaf5ea140a3ecbbc88cbf4bdd0e0ba3fbdf169f4b7cb831094a47a6ead103f89fc07748f91d1396ebd13c7ebcc90a316f0eb203ff4c86a50be5cd3ca4
- SSDEEP
  
  3072:UaKBsDgGod8NAH4iyf8kXrLfKgL6YhL+L3yGU:73X
Score

1^/10
behavioral3 behavioral4
- Target
  
  langs/Korean.ini
- Size
  
  91KB
- MD5
  
  efae0c78be2abe2920c78b9d4785ab45
- SHA1
  
  8c0799fb68852cb071bbe260deb4ab357bd5f4ed
- SHA256
  
  ad556989f6e4a683d9668e41d2d7175b7b46847c2eef26188b9075fc600d0132
- SHA512
  
  44737be4d4bd0f93ca3e986c89102612932f3749b8e9b89446a567cff60ceb856b4bd7380da7fe3f1809579e6ec2162d0cdd4a217935a4961c6b36a482dd4ac8
- SSDEEP
  
  768:wPYhkzQl6qE7rY+xuPAsyKVmq8Ag8lyWqFk5ziCfsg8S+EZNlWJ7lxyBiCWfbMav:HSzQlc7siCmq8AFlBmLfbNA2Nt7osVP
Score

1^/10
behavioral5 behavioral6