vidar

General

Target

Complete_Pass_1234_Active_Ze2.rar
Size

5.9MB
Sample

221129-j625lsbf28
MD5

c87e04df8126ad203b0e308f50813300
SHA1

7b75cfd2b2a9bb9e2a13bc3b0059ef6020852b49
SHA256

25973e904b1bcfe98a83e2b20e801b8e0781889bc61e238df4066ad7944a2829
SHA512

4ab59609eeab13a0a5868b394c1384cae082bc1ad80834406a16afc7b78a08c71d9cf135db66fe06ba8190911d93a367a9f725be4135e2e9a5c508c4ea1d585f
SSDEEP

98304:isFSJq3U7FPJEVjmLGRD8whMjx2ho4O6ONhw8UBwsOzUOcMWraZ6Vz1Ku43jqrAN:9AJqYPJEVjmu2Z6EwjBw7aMge6SNjqri

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

55.8

Botnet

1364

C2

https://t.me/headshotsonly

https://steamcommunity.com/profiles/76561199436777531

Attributes

profile_id
1364

Targets

- Target
  
  Setup.exe
- Size
  
  402.5MB
- MD5
  
  067d3c879130afc47174ba47b13e43ac
- SHA1
  
  7a904662e1b30d84ef00011d5b5fb41eda3d338e
- SHA256
  
  6f82b1cf599c76bc579116a448fc4140b73074593fde03ac4848b55e63486eaf
- SHA512
  
  663b0744020e5ef0e8e5f327e98471df6225153e2dadc02eb602461332d462cf1c00189c9179ccd4024b1138dd4cd984f2a43ab81ea4f2db889f9913c8fc34c8
- SSDEEP
  
  98304:SdJ+IoM2/A0pVUyCl4wG5VAc8UqsCOyS87SSstVC3aV:SdgIH2/A0pVBEcNQS87SX0aV
Score

10^/10

vidar 1364 discovery evasion spyware stealer trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  langs/Hungarian.ini
- Size
  
  107KB
- MD5
  
  7591df7fae4342cbc7a0706e1b28e87b
- SHA1
  
  825e88ad498e8713522f5aef3b21ee01d6fa8b41
- SHA256
  
  fe9997629d296908247a2e82da6c369e2ea7eb4c87b12fc7c8d3ecb3e6fc320d
- SHA512
  
  8f58c6fbaf5ea140a3ecbbc88cbf4bdd0e0ba3fbdf169f4b7cb831094a47a6ead103f89fc07748f91d1396ebd13c7ebcc90a316f0eb203ff4c86a50be5cd3ca4
- SSDEEP
  
  3072:UaKBsDgGod8NAH4iyf8kXrLfKgL6YhL+L3yGU:73X
Score

1^/10
behavioral3 behavioral4
- Target
  
  langs/Korean.ini
- Size
  
  91KB
- MD5
  
  efae0c78be2abe2920c78b9d4785ab45
- SHA1
  
  8c0799fb68852cb071bbe260deb4ab357bd5f4ed
- SHA256
  
  ad556989f6e4a683d9668e41d2d7175b7b46847c2eef26188b9075fc600d0132
- SHA512
  
  44737be4d4bd0f93ca3e986c89102612932f3749b8e9b89446a567cff60ceb856b4bd7380da7fe3f1809579e6ec2162d0cdd4a217935a4961c6b36a482dd4ac8
- SSDEEP
  
  768:wPYhkzQl6qE7rY+xuPAsyKVmq8Ag8lyWqFk5ziCfsg8S+EZNlWJ7lxyBiCWfbMav:HSzQlc7siCmq8AFlBmLfbNA2Nt7osVP
Score

7^/10
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral5 behavioral6