vidar | 7f874e1018fb27609df79be210c6b4345246dd3559577afc56c561879da1dd4b | Triage

Submit
Reports

Overview

overview

Static

static

7

AnyDesk_x6...32.exe

windows7-x64

AnyDesk_x6...32.exe

windows10-2004-x64

Sharing

General

Target

AnyDesk_x64x32.zip
Size

8.1MB
Sample

221130-vq913acf9w
MD5

11f60048e753528d160964f2a9f627e9
SHA1

c0ab9eabdf5c55ee0bc4f527a09deac10642de86
SHA256

7f874e1018fb27609df79be210c6b4345246dd3559577afc56c561879da1dd4b
SHA512

0f9ffe2b3964d4b319c7a2ce1b88aaa90e3678d3375e67c3b87fd6fa25f08e9bbe3baced563c872337b807d5d154203632d7b7e27ae7641bd777a49f9d622ad1
SSDEEP

196608:eR5ArpeWisxTHVeZLp73qU67S9x0O7KpA7t1ZtNs:ez4UWJfS9Z7tNu

Score

10^/10

vidar 1678 evasion spyware stealer themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

AnyDesk_x64x32/AnyDesk_x64x32.exe

Resource

win7-20220812-en

vidar 1678 evasion spyware stealer themida trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

AnyDesk_x64x32/AnyDesk_x64x32.exe

Resource

win10v2004-20220901-en

vidar 1678 evasion spyware stealer themida trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

vidar

Version

55.8

Botnet

1678

C2

https://t.me/paysotr_france

Attributes

profile_id
1678

Targets

- Target
  
  AnyDesk_x64x32/AnyDesk_x64x32.exe
- Size
  
  745.2MB
- MD5
  
  5956d3d9c0cdd930cf7754cfc194feaf
- SHA1
  
  0ab481033c4d03850c8426a636d9c6d542d3546a
- SHA256
  
  9349e45e03aa3efff2c32e8987dd905ec618f80083e43c9e06f997fe52dfd7c7
- SHA512
  
  31b2157bb4bdf43948fa700a2720a97f95df4d158a69df14eab334dfc9594dc3f6c29bdccef65dbe7358bcfed129c51c43c3a6b614bfc9d187e18b0475822d8f
- SSDEEP
  
  98304:JQrLZQrLAmaY70kUpqnT/0FH1Bj81K0sFCHnkcCemOU+ltwiSqfqdNZvJbhr4H:JULZULAQ7ZTr0FH1BAoFOZPfq/S
Score

10^/10

vidar 1678 evasion spyware stealer themida trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vidar1678evasionspywarestealerthemidatrojan

behavioral2

vidar1678evasionspywarestealerthemidatrojan

© 2018-2024

Terms | Privacy