Overview

overview

10

Static

static

7

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    2.0MB

  • Sample

    221219-km5xtshf4y

  • MD5

    ec0ac23a4d78b472dc4cc6ba718ed1b4

  • SHA1

    50d5c0d0775ff7e6c84c35549bd0da5d041c28b8

  • SHA256

    7d9e4b4c86f71fc5b5e5ed8bb72b6ef2ed9ab8c0ad2877bf880f8e029485bfe7

  • SHA512

    ade59aebd9631b3f8b467523b224ee937003414cbc1f5ecd646daa372e14475a2be7e1b933e31e65eb0583df42eea7b9fe71c6958163b71f6b1cbbde9e9516ab

  • SSDEEP

    49152:HPZDYu8tLPaJtbqySZWkIlVUUnY6JAiJCkdEbtFT1uwp:vqazv1lVQunDduFTMwp

Score
10/10
vidar1679evasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

vidar

Version

56.1

Botnet

1679

C2

https://t.me/dishasta

https://steamcommunity.com/profiles/76561199441933804
Attributes
  • profile_id

    1679

Targets

    • Target

      file.exe

    • Size

      2.0MB

    • MD5

      ec0ac23a4d78b472dc4cc6ba718ed1b4

    • SHA1

      50d5c0d0775ff7e6c84c35549bd0da5d041c28b8

    • SHA256

      7d9e4b4c86f71fc5b5e5ed8bb72b6ef2ed9ab8c0ad2877bf880f8e029485bfe7

    • SHA512

      ade59aebd9631b3f8b467523b224ee937003414cbc1f5ecd646daa372e14475a2be7e1b933e31e65eb0583df42eea7b9fe71c6958163b71f6b1cbbde9e9516ab

    • SSDEEP

      49152:HPZDYu8tLPaJtbqySZWkIlVUUnY6JAiJCkdEbtFT1uwp:vqazv1lVQunDduFTMwp

    Score
    10/10
    vidar1679evasionspywarestealerthemidatrojan

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks