vidar | 34fbb725cb2dadf927aa711744b2ac462ebfca6545ac07486ff319090727bc9c | Triage

Submit
Reports

Overview

overview

Static

static

7

Setup.exe

windows7-x64

Setup.exe

windows10-2004-x64

Sharing

General

Target

Setup.zip
Size

5.6MB
Sample

230125-jvej6sha4v
MD5

307832716da4e2f4630508b14803f8cc
SHA1

377ec621b9d9626a52b361430768fe0b64b91afe
SHA256

34fbb725cb2dadf927aa711744b2ac462ebfca6545ac07486ff319090727bc9c
SHA512

b9c8893a35d56df8e3574ff95f5156f79f21fb4ab93cada16792638ccee8f319148f393a7ee93c07bb56455c58dc70c9688b5732f9c3072e53a9644596bb8227
SSDEEP

98304:RHDl7/NIwMjgnV1GQ0jwuB0932vzeNoixCjfDXxsFU01netH0CEMm2YhJj:L/NIwMjgfGRwXlo17WFxetUCCHj

Score

10^/10

vidar 754 evasion spyware stealer themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Setup.exe

Resource

win7-20221111-en

vidar 754 evasion stealer themida trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

Setup.exe

Resource

win10v2004-20221111-en

vidar 754 evasion spyware stealer themida trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

vidar

Version

2.2

Botnet

754

C2

https://t.me/litlebey

https://steamcommunity.com/profiles/76561199472399815

Attributes

profile_id
754

Targets

- Target
  
  Setup.exe
- Size
  
  688.6MB
- MD5
  
  08e151d381448ed0d4bc81360ac902d3
- SHA1
  
  6b41c783a0a0fa80db41ba0ea5b04039c5816504
- SHA256
  
  184ce64f7c39d8bede67f57b1a114207d991d09c2db4d0c0dc58a004ee8b2219
- SHA512
  
  a9557aa238fd749094f8f945b47bc052838cba4c97004dcd07d4c85c17c5c356777dabc3b49ee9c59676ef9115ccc5cf338cc8460ad6366f0ba4c3c9a625525f
- SSDEEP
  
  98304:OnkCLdNtZv0I83Xs0GVJ4w/iVG+Kqezp5vXMwRzhcHlmB2r7c:Onk4NtZv0TVGVJ4waU+3S5vcCiHl/
Score

10^/10

vidar 754 evasion stealer themida trojan spyware
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Uses the VBS compiler for execution
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vidar754evasionstealerthemidatrojan

behavioral2

vidar754evasionspywarestealerthemidatrojan

© 2018-2024

Terms | Privacy