Overview

overview

10

Static

static

AppSetup.rar

windows7-x64

3

AppSetup.rar

windows10-2004-x64

3

AppSetup.exe

windows7-x64

10

AppSetup.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AppSetup.rar

  • Size

    5.6MB

  • Sample

    230127-m8yrrabg31

  • MD5

    3320baa8777b655d4be63fb56a35f875

  • SHA1

    9f1f90e1ab9feb0396f4e7d921d56a97b527ffb4

  • SHA256

    2f626154e982310a3efc265a8c279dea6c857dac99a96ae698cd797f9dcac174

  • SHA512

    69a542eabe263575e56f51902213d024786e62f117943ad724d86c54a54d02d299a4c0f77fced040b435e24fc8f18dd87c3869c7b02bd512acc2db29d7a9e5ee

  • SSDEEP

    98304:yiJu9vxyWDY0NXBn7bv4ML50l30EZFZNAAKv64rOtMKzsfB1lKIBFty:yl9pyKlNx7bv4ML50xnFZqAKv64r4I1m

Score
10/10
vidar754bootkitevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

2.2

Botnet

754

C2

https://t.me/litlebey

https://steamcommunity.com/profiles/76561199472399815
Attributes
  • profile_id

    754

Targets

    • Target

      AppSetup.rar

    • Size

      5.6MB

    • MD5

      3320baa8777b655d4be63fb56a35f875

    • SHA1

      9f1f90e1ab9feb0396f4e7d921d56a97b527ffb4

    • SHA256

      2f626154e982310a3efc265a8c279dea6c857dac99a96ae698cd797f9dcac174

    • SHA512

      69a542eabe263575e56f51902213d024786e62f117943ad724d86c54a54d02d299a4c0f77fced040b435e24fc8f18dd87c3869c7b02bd512acc2db29d7a9e5ee

    • SSDEEP

      98304:yiJu9vxyWDY0NXBn7bv4ML50l30EZFZNAAKv64rOtMKzsfB1lKIBFty:yl9pyKlNx7bv4ML50xnFZqAKv64r4I1m

    Score
    3/10
    behavioral1behavioral2

    • Target

      AppSetup.exe

    • Size

      689.2MB

    • MD5

      51546cad54042b12982cd15f8685dacd

    • SHA1

      1d6d6125139e18d76945732d69d833d915da1a8f

    • SHA256

      fecd31d990a942e012bcb6860cc0f76ce46daaaf7d829d0c08f5972878899ffa

    • SHA512

      a0a922f1a62b24cd3c3383c610cbec4eb0ecd3a595f137650466d0f882b89809eb851505221ceff923a7cd6e2500c48d2e7c4bd52441463b9e5ab4a9f290cf94

    • SSDEEP

      98304:TSWU64N6ik/INEdXihZur3ui/xFKtL7UHfrPlkrAUzXGqb1MTmLgx0ZvSeK+YNmG:T4kQNEdyhq4GHTloxgE1Rs

    Score
    10/10
    vidar754bootkitevasionpersistencespywarestealertrojan

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

4
T1082

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks