General

  • Target

    7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19adeda48b49acb20e16f

  • Size

    217KB

  • Sample

    221202-y1c1vsaf25

  • MD5

    583593cfbf27ed14d04e133833e897b2

  • SHA1

    af7fd15d27bef67f89b6aee2348d636932bcd027

  • SHA256

    63d17503bd4ae9dc9b7e834d6eefda8ec214746e73945b333af447ddab0b2bab

  • SHA512

    a7678702d44eb7da977bb00e73501e321ce364ff91152826b5df66a71deac4f7a3d45cc47700b15ef317b5f2db38b878cceac88039bfc8b1fd7ca93df2489fbf

  • SSDEEP

    6144:lhqJKdm6pftFrsb8XODU40LTwzLs0+CKnY1PVRT:3/7pfthcwIU40LTwz5rfRT

Malware Config

Extracted

Family

vidar

Version

56

Botnet

517

C2

https://t.me/asifrazatg

https://steamcommunity.com/profiles/76561199439929669

Attributes
  • profile_id

    517

Targets

    • Target

      7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19adeda48b49acb20e16f

    • Size

      258KB

    • MD5

      b9212ded69fae1fa1fb5d6db46a9fb76

    • SHA1

      58face4245646b1cd379ee49f03a701eab1642be

    • SHA256

      7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19adeda48b49acb20e16f

    • SHA512

      09cab8ccedb9e53d6d2725e8b9dbbe8fa9552607a58d89876b6539a6612b2e7ac0440ef281971bec9191510915fa6264048510add493e6a862b0d3b4f006e342

    • SSDEEP

      6144:YdAhH6pftFbsb8XODU4aLTwzLs0+mKnBtt:VUpftVcwIU4aLTwz5tItt

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks