General

  • Target

    Active_APpLicatiOn_1234_Vr6ty-Oz.rar

  • Size

    4MB

  • Sample

    221220-q2hzhahf75

  • MD5

    963011155b7b84c8850878c68b99445a

  • SHA1

    f5f6cdfd1d12df787cf358e0e5eae8483ab6d06e

  • SHA256

    ed9194aab02f28532a292a55883d17d4c6d9e1398b417c89c49274ef394730c1

  • SHA512

    1ce641c769569eb96fa5d43fafac80c51b6785f5fc251d46c9dac0838761f0d5a678de554eea6625ea9ba258321161e8a35641ec3ab26c12632de88460aed6ae

  • SSDEEP

    98304:TtL+tIRaXCg7itumOmIt0e5JxRyiamuvp2QAxXEqu7dUFPKig1nGfDrX7QceNC:gCaXCg7IvG0e5Jj1am2pmDu7dGLg1nSX

Malware Config

Extracted

Family

vidar

Version

55.9

Botnet

1707

C2

https://t.me/headshotsonly

https://steamcommunity.com/profiles/76561199436777531

Attributes
profile_id
1707

Targets

    • Target

      Setup.exe

    • Size

      401MB

    • MD5

      0ddcdd61416097c2bb811c52ec1edbb0

    • SHA1

      a95918e157f327ff92025f460b5abe4a0be7681d

    • SHA256

      aa80f09c015c63a1b140be6cc7f6e102fbac728a94e9d7063caaaede90bbf364

    • SHA512

      2f066531ee0cfd95859acd05d0997f2cc85c8b337b4c37e6cae34bc47fe612e796de060f70f59c1947e54442e0fe3e7fda6df4989fb98fca7449e8de499f845e

    • SSDEEP

      98304:ynbaaSVmm30fIhK9C7CmMK5kZmxQSDgK0h:yba5V1lhK943zhxQSDgd

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation

                  Tasks