Overview

overview

10

Static

static

7

SetupFile.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CompleteInstaller_Pass1234_Active_B3 (2).rar

  • Size

    3.9MB

  • Sample

    221208-qm24tsdb2v

  • MD5

    2e0cf0709695a3e3df93c8d3d7651674

  • SHA1

    b0bbcc1e1481f643d9a4e3b7f0fce698be5a1c8d

  • SHA256

    58e301cc6f3e5bd30dc849ae1d6f0cad92a8b4a34fa51af6fed1ada2264a1f6a

  • SHA512

    4e6e327affba5cc98b7eeae24b774accc7516a1eef2fd1c5686430d3a8467c0ef99fbb63c65b133702c44844e52898c32f95bfc93c6ad32cfbd90dde073d14f8

  • SSDEEP

    98304:OVS/j7lTaomb4+1zmyTH/6b6EU7tb842V3Ydmu/Vh+dHXW:O8rZT1mHLTSb6EUZn2V3WjSm

Score
10/10
vidar1707evasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

vidar

Version

56.1

Botnet

1707

C2

https://t.me/dishasta

https://steamcommunity.com/profiles/76561199441933804
Attributes
  • profile_id

    1707

Targets

    • Target

      SetupFile.exe

    • Size

      428.1MB

    • MD5

      7226d8d16095a3e5adfc54c0f21f47ea

    • SHA1

      888a9fb43a1b266c14949ff5a08484f90ee55bf6

    • SHA256

      02c828e99aa676e09b13b1ed83fec552e9a0af8e36d5621c241e6cc94e0e0af9

    • SHA512

      0c6ae1c71d4969adaa724bc32047325553ad1df1d9f06239b9a18df05cb151a79c1244f312c08abd7f9a9c9cd0479254a86699786f2ef2a256ca15dc5b086466

    • SSDEEP

      98304:7oFL7+orEBewjmQ1vS9RTHFa0azSYhYlktlvBS0UzZ5qLfIlX3:7oFCiEBhjmjDypmZ6OX3

    Score
    10/10
    vidar1707evasionspywarestealerthemidatrojan

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks