Overview

overview

10

Static

static

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Resubmissions

02-12-2022 04:06

221202-en6ymacb27 10

29-11-2022 08:17

221129-j625lsbf28 10

28-11-2022 08:49

221128-krf49sah64 10

24-11-2022 09:42

221124-lpgtfshe6t 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Complete_Pass_1234_Active_Ze2.rar

  • Size

    5.9MB

  • Sample

    221124-lpgtfshe6t

  • MD5

    c87e04df8126ad203b0e308f50813300

  • SHA1

    7b75cfd2b2a9bb9e2a13bc3b0059ef6020852b49

  • SHA256

    25973e904b1bcfe98a83e2b20e801b8e0781889bc61e238df4066ad7944a2829

  • SHA512

    4ab59609eeab13a0a5868b394c1384cae082bc1ad80834406a16afc7b78a08c71d9cf135db66fe06ba8190911d93a367a9f725be4135e2e9a5c508c4ea1d585f

  • SSDEEP

    98304:isFSJq3U7FPJEVjmLGRD8whMjx2ho4O6ONhw8UBwsOzUOcMWraZ6Vz1Ku43jqrAN:9AJqYPJEVjmu2Z6EwjBw7aMge6SNjqri

Score
10/10
vidar1364discoveryevasionspywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

55.8

Botnet

1364

C2

https://t.me/headshotsonly

https://steamcommunity.com/profiles/76561199436777531
Attributes
  • profile_id

    1364

Targets

    • Target

      Setup.exe

    • Size

      402.5MB

    • MD5

      067d3c879130afc47174ba47b13e43ac

    • SHA1

      7a904662e1b30d84ef00011d5b5fb41eda3d338e

    • SHA256

      6f82b1cf599c76bc579116a448fc4140b73074593fde03ac4848b55e63486eaf

    • SHA512

      663b0744020e5ef0e8e5f327e98471df6225153e2dadc02eb602461332d462cf1c00189c9179ccd4024b1138dd4cd984f2a43ab81ea4f2db889f9913c8fc34c8

    • SSDEEP

      98304:SdJ+IoM2/A0pVUyCl4wG5VAc8UqsCOyS87SSstVC3aV:SdgIH2/A0pVBEcNQS87SX0aV

    Score
    10/10
    vidar1364evasionstealertrojandiscoveryspyware

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks