vidar

General

Target

Loader.rar
Size

1.0MB
Sample

230129-gdsz5aae43
MD5

ea62797765bcc7d277a6d02b5113cd7b
SHA1

5b013377b3b614fd8728a976b9b4589ebd5a965f
SHA256

7eaec25194b19910f090aa38b9236530c70b61e69991edbb497b32ed73e28ddc
SHA512

997991598504b719c0c52180485a5e37ea7ded470d475e625acb628d78cd719f241a7396e93c1eed001432d819e4c12c4a2e98a75c81fc1cee77af2ad44a2d06
SSDEEP

12288:VsnkLvrX1So/aGVN2Q6fyib3xWzg8xqkDPSSNdz5Fx2d6nQHuhh6ZGP1QTOeEVmb:maTmQ6yibhWzgW5PS6XQ8h68PyTukQ2

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

2.2

Botnet

408

C2

https://t.me/litlebey

https://steamcommunity.com/profiles/76561199472399815

Attributes

profile_id
408

Targets

- Target
  
  Cracker.dll
- Size
  
  56KB
- MD5
  
  f861f7c134819f4aa5f3b0ce2db9bc9f
- SHA1
  
  d063a5e353543e9f21a7a16ea1c0789be0a30856
- SHA256
  
  4dc9457b3f2b4eb488aa0b95ff4cd25632c8756beb5992520c970ae7d09fe0b7
- SHA512
  
  90ac4c0fa370e076c19f865c554d8231a4d80c1bd46860a3772fc66b75fb0a2977d489fa7f3b233fb1316ef9b70e99ee7658692f65f070c7cd33d8fa4fed9a96
- SSDEEP
  
  384:poaSsZTSyPG0TLMU9mCzkcu/b49Pji7iJI5TZCP56vS1b+dYUFv8WTa:W1yR8U9mCzkcu/8V2iP56vs+G0a
Score

1^/10
behavioral1 behavioral2
- Target
  
  Data/Packaged/Resource.dll
- Size
  
  189B
- MD5
  
  4427aeee68321d0f4d7befa74e669f83
- SHA1
  
  4670003762a1c217c9e8ea48fcc53f2871a7c341
- SHA256
  
  a9661f89b8d957f4e71cbe1ba0342a39e5b50a1d80d974e2e1b349a273967f1b
- SHA512
  
  9d9156aa8fdebf19363fed2edb82235642c8c20549369470e44fdc0db41324e2160968fd7dd43eecce1ce3da9c03dd05cdefc8d903a9d0394f5ca9a73f5c5fa3
Score

1^/10
behavioral3 behavioral4
- Target
  
  Data/Packaged/Utils.dll
- Size
  
  1KB
- MD5
  
  73e051427246dd4ca45935b1a4bd7e2d
- SHA1
  
  7216f05041252f1c3a9d84aacdf84ef62f1a1045
- SHA256
  
  b7b8b412ab1e4f32da8a7cd42aeaa6e7d8d340cf14977d3e87f7d8f5eb689b0f
- SHA512
  
  3fc10dea91962244389214d189c141466f5630e99b01af5761738ce884df14050cd08a43802dc45bbe9117290c34143b85a75694b6301954b51972180dca1e36
Score

1^/10
behavioral5 behavioral6
- Target
  
  Loader.exe
- Size
  
  761.7MB
- MD5
  
  ccb5114428cf5c1119e1fdacca3cbb24
- SHA1
  
  20d808ed53075c8e3e96c646ee6d48f76f27c4c5
- SHA256
  
  1ec8a7862ede3f356ce39933e45756da4a3dcd42347c4c5b0e06e840063e4ef2
- SHA512
  
  512f9eae2c879a8d996d0f156e26c993f42cc29677600c78ce17de1def25df12c5dfc49e6ccf479841069052738ca764b9e8e3fc72930b26824d878c20e099e6
- SSDEEP
  
  24576:W/2Nr/ox3EcOgDl45miyAZt2xP1vpL0BW9ezlIrqPx1rLvddZsoiS7tnP90NFFuy:W/2NDox3RDmmuUgOhP
Score

10^/10

vidar 408 evasion stealer trojan spyware
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral7 behavioral8