Overview

overview

10

Static

static

7

installerx64.exe

windows7-x64

10

installerx64.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    installerx64.zip

  • Size

    17.2MB

  • Sample

    221127-yfq2zsde53

  • MD5

    f07b22cffd00df98a78af88e3680ffb4

  • SHA1

    16c04ebd04e1c7ffd76e55af7d031f215e4d4e39

  • SHA256

    dfcf45d97a5c1e596fd63b1b617779f6151d595fa4fbb330b5e570b6917a66fa

  • SHA512

    5788f34105eb3fe3a3c61a6d6c8f73fa72c472b8f17330e304d966b062be2fa6473a6d3f9b20cab3974a5d3e1d29140a7b547bb11df8a2810b9b4850acd45abc

  • SSDEEP

    393216:2eAIK/E59NxUzf+X3shwgS+mONqVFC0ubQuFz9gWv0OhYxDH4Kk:2exKMr22Hs07s0CLFpJox0D

Score
10/10
vidar1604discoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

vidar

Version

55.9

Botnet

1604

C2

https://t.me/misteryworldismyhome

https://t.me/montgomerywavesgetlucky

https://t.me/prokl3hfy
Attributes
  • profile_id

    1604

Targets

    • Target

      installerx64.exe

    • Size

      706.6MB

    • MD5

      41bf2ab4d931307596bca16b3eeaa204

    • SHA1

      aeaceceaec0abaa4f020c948f504985e71b6f0bc

    • SHA256

      10838acc353d1580f5e17ca6ffd33346f156a7c3f6c8a28151812ec553f0d3d1

    • SHA512

      f3ae025a4a186422ee2a982b186e3843963292080d20504604131b9502462c360dd77e67306948665160c08a50d85b94191803649d90d68f419a315b3012f3a7

    • SSDEEP

      98304:hrFpFpUSCAajXKzbNOpjafzC7ps1u6OLucZGUTQ8n6vtJjrNK9J:XCSCHCbNOgG7p7LPmP/4

    Score
    10/10
    vidar1604evasionstealerthemidatrojandiscoveryspyware

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks