Overview

overview

10

Static

static

Complete_P...e2.rar

windows7-x64

10

Complete_P...e2.rar

windows10-2004-x64

3

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

1

langs/English.ini

windows7-x64

1

langs/English.ini

windows10-2004-x64

1

langs/Hungarian.ps1

windows7-x64

1

langs/Hungarian.ps1

windows10-2004-x64

1

langs/Korean.ps1

windows7-x64

1

langs/Korean.ps1

windows10-2004-x64

1

Resubmissions

02-12-2022 04:06

221202-en6ymacb27 10

29-11-2022 08:17

221129-j625lsbf28 10

28-11-2022 08:49

221128-krf49sah64 10

24-11-2022 09:42

221124-lpgtfshe6t 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Complete_Pass_1234_Active_Ze2.rar

  • Size

    5.9MB

  • Sample

    221128-krf49sah64

  • MD5

    c87e04df8126ad203b0e308f50813300

  • SHA1

    7b75cfd2b2a9bb9e2a13bc3b0059ef6020852b49

  • SHA256

    25973e904b1bcfe98a83e2b20e801b8e0781889bc61e238df4066ad7944a2829

  • SHA512

    4ab59609eeab13a0a5868b394c1384cae082bc1ad80834406a16afc7b78a08c71d9cf135db66fe06ba8190911d93a367a9f725be4135e2e9a5c508c4ea1d585f

  • SSDEEP

    98304:isFSJq3U7FPJEVjmLGRD8whMjx2ho4O6ONhw8UBwsOzUOcMWraZ6Vz1Ku43jqrAN:9AJqYPJEVjmu2Z6EwjBw7aMge6SNjqri

Score
10/10
vidar1364discoveryevasionspywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

55.8

Botnet

1364

C2

https://t.me/headshotsonly

https://steamcommunity.com/profiles/76561199436777531
Attributes
  • profile_id

    1364

Targets

    • Target

      Complete_Pass_1234_Active_Ze2.rar

    • Size

      5.9MB

    • MD5

      c87e04df8126ad203b0e308f50813300

    • SHA1

      7b75cfd2b2a9bb9e2a13bc3b0059ef6020852b49

    • SHA256

      25973e904b1bcfe98a83e2b20e801b8e0781889bc61e238df4066ad7944a2829

    • SHA512

      4ab59609eeab13a0a5868b394c1384cae082bc1ad80834406a16afc7b78a08c71d9cf135db66fe06ba8190911d93a367a9f725be4135e2e9a5c508c4ea1d585f

    • SSDEEP

      98304:isFSJq3U7FPJEVjmLGRD8whMjx2ho4O6ONhw8UBwsOzUOcMWraZ6Vz1Ku43jqrAN:9AJqYPJEVjmu2Z6EwjBw7aMge6SNjqri

    Score
    10/10
    vidar1364discoveryevasionspywarestealertrojan

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Setup.exe

    • Size

      402.5MB

    • MD5

      067d3c879130afc47174ba47b13e43ac

    • SHA1

      7a904662e1b30d84ef00011d5b5fb41eda3d338e

    • SHA256

      6f82b1cf599c76bc579116a448fc4140b73074593fde03ac4848b55e63486eaf

    • SHA512

      663b0744020e5ef0e8e5f327e98471df6225153e2dadc02eb602461332d462cf1c00189c9179ccd4024b1138dd4cd984f2a43ab81ea4f2db889f9913c8fc34c8

    • SSDEEP

      98304:SdJ+IoM2/A0pVUyCl4wG5VAc8UqsCOyS87SSstVC3aV:SdgIH2/A0pVBEcNQS87SX0aV

    Score
    10/10
    vidar1364discoveryevasionspywarestealertrojan

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      langs/English.ini

    • Size

      107KB

    • MD5

      525ce1c02ca53f9c63cb697ed3aae899

    • SHA1

      9ddc2763d9dd663f3cb0febf0d580e21c52c2f18

    • SHA256

      0f9d467f6bb6f682c0d1351b26038950c73720f2bfc0741ec1c7bfab2046d75f

    • SHA512

      734d599d839b1266c42f340e044243ae30d1859d314eed7738f72f59201d19359f1ac6ee0cac8bfef4a0a2b8f2232a4f1f33336770c8c43f929c1bef162d2317

    • SSDEEP

      1536:5S5Ybl8/lKlXiF3y24FMuRvV5I7BohUT1:xxXiVQV5uJ1

    Score
    1/10
    behavioral5behavioral6

    • Target

      langs/Hungarian.ini

    • Size

      107KB

    • MD5

      7591df7fae4342cbc7a0706e1b28e87b

    • SHA1

      825e88ad498e8713522f5aef3b21ee01d6fa8b41

    • SHA256

      fe9997629d296908247a2e82da6c369e2ea7eb4c87b12fc7c8d3ecb3e6fc320d

    • SHA512

      8f58c6fbaf5ea140a3ecbbc88cbf4bdd0e0ba3fbdf169f4b7cb831094a47a6ead103f89fc07748f91d1396ebd13c7ebcc90a316f0eb203ff4c86a50be5cd3ca4

    • SSDEEP

      3072:UaKBsDgGod8NAH4iyf8kXrLfKgL6YhL+L3yGU:73X

    Score
    1/10
    behavioral7behavioral8

    • Target

      langs/Korean.ini

    • Size

      91KB

    • MD5

      efae0c78be2abe2920c78b9d4785ab45

    • SHA1

      8c0799fb68852cb071bbe260deb4ab357bd5f4ed

    • SHA256

      ad556989f6e4a683d9668e41d2d7175b7b46847c2eef26188b9075fc600d0132

    • SHA512

      44737be4d4bd0f93ca3e986c89102612932f3749b8e9b89446a567cff60ceb856b4bd7380da7fe3f1809579e6ec2162d0cdd4a217935a4961c6b36a482dd4ac8

    • SSDEEP

      768:wPYhkzQl6qE7rY+xuPAsyKVmq8Ag8lyWqFk5ziCfsg8S+EZNlWJ7lxyBiCWfbMav:HSzQlc7siCmq8AFlBmLfbNA2Nt7osVP

    Score
    1/10
    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

6
T1081

Discovery

Query Registry

8
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

8
T1082

Lateral Movement

Collection

Data from Local System

6
T1005

Exfiltration

Command and Control

Impact

Tasks