vidar | 807cd667638409b072cad009046de64c656ad544735ab95ea6db34b6f46b9da8 | Triage

Submit
Reports

Overview

overview

Static

static

591835d001...92.exe

windows7-x64

591835d001...92.exe

windows10-2004-x64

Sharing

General

Target

8472480879.zip
Size

3.9MB
Sample

221129-kmc7tafh9z
MD5

6eab674b40bbd8dea7733c6ffd6fd475
SHA1

81483af23b475f96fad365047eb9b0e10245ce77
SHA256

807cd667638409b072cad009046de64c656ad544735ab95ea6db34b6f46b9da8
SHA512

056bb6cf78319b26957af2bdf277a38bb7decd2fceb93e011caa6a5d953c6f5dadedb7a6c11229f9bdb40e6f249b88acc213b5fdce7d72186fcbb3b8f719a3c6
SSDEEP

98304:LrCGnR3xgJC1RE226DAWesb/9E1Sbs01K6kzZiPUAlBhAzeM:LG0R3xgJC1REgU+9E4ISkNi1BhU7

Score

10^/10

vidar 1142 discovery spyware stealer vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

591835d00134e24ab87d8dd53a1fced015c3cee18f49ac435f28dc2af024bf92.exe

Resource

win7-20221111-en

vidar 1142 discovery spyware stealer vmprotect

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

591835d00134e24ab87d8dd53a1fced015c3cee18f49ac435f28dc2af024bf92.exe

Resource

win10v2004-20220812-en

vidar 1142 stealer

windows10-2004-x64

1 signatures

150 seconds

Malware Config

Extracted

Family

vidar

Version

55.8

Botnet

1142

C2

https://t.me/headshotsonly

https://steamcommunity.com/profiles/76561199436777531

Attributes

profile_id
1142

Targets

- Target
  
  591835d00134e24ab87d8dd53a1fced015c3cee18f49ac435f28dc2af024bf92
- Size
  
  4.0MB
- MD5
  
  37eb7e578bc1b48c2001eb7aa3eb1062
- SHA1
  
  20e4b7bff24d30f72d90bc2fa41649a347e70ffd
- SHA256
  
  591835d00134e24ab87d8dd53a1fced015c3cee18f49ac435f28dc2af024bf92
- SHA512
  
  aa056dbe9195d1cef1e4a1f9937538896a5c2b12da9b9ead4ee97c26ef210a31d70dd2bd46cba9de6e50a70389b5fa4b55164af7e637595e30a7abea79f295b1
- SSDEEP
  
  98304:TgQlcmsRh4de3XKadvP84mza0stsYFxmRg:TgQamsRhr3XKay4+vsFh
Score

10^/10

vidar 1142 discovery spyware stealer vmprotect
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vidar1142discoveryspywarestealervmprotect

behavioral2

vidar1142stealer

© 2018-2024

Terms | Privacy