vidar | 0c7f8dee63b0e813a056dcae3e3b750170bd1e9a49f89c269aab53440a61fb63 | Triage

Submit
Reports

Overview

overview

Static

static

versionUnl...im.exe

windows7-x64

versionUnl...im.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

best.zip
Size

5.7MB
Sample

230130-r8w1daag65
MD5

2ffceba04da1864c83d3c25d7b9e9c04
SHA1

c17ba58ffa7bc99c02f6bf8126f2eaa72c3dffcb
SHA256

0c7f8dee63b0e813a056dcae3e3b750170bd1e9a49f89c269aab53440a61fb63
SHA512

7a1540f29c831f15544c287657459a34e5512a1a08b1bf4d017c55cd0a107f2a342b77c2b9d4fd6bf03c818ab2e4b8c0be7f8cdc9c5aad272afcef1a5ab41349
SSDEEP

98304:AmGEsG05IIH3qMLua6JR/1k62TW6vqt4lsZo411BB6uqdMaHSud6uK:2805I2qMiaWJj2TWfQs1kbHx6R

Score

10^/10

vidar 713 pyinstaller spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

versionUnlim/versionUnlim.exe

Resource

win7-20220812-en

vidar 713 stealer

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

versionUnlim/versionUnlim.exe

Resource

win10v2004-20221111-en

vidar 713 pyinstaller spyware stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

vidar

Version

2.2

Botnet

713

C2

https://t.me/litlebey

https://steamcommunity.com/profiles/76561199472399815

Attributes

profile_id
713

Extracted

Language

hta

Source

URLs

hta.dropper

https://gooddeal.sbs:51815/RXCctmpaTQivnMfw/EpvMFDkSfCGrtcyH.html#XCMY3GO1SixUkATFPN46J5nqchwLbHoBDmEjIQgeyp9rVsW7v8fluz2at0KZRd+/=

Targets

- Target
  
  versionUnlim/versionUnlim.exe
- Size
  
  687.3MB
- MD5
  
  b968556abe1c5a69f92e087362ad9940
- SHA1
  
  5efb43f00172f93529e6a7020ef99eb53ade2085
- SHA256
  
  638c000a00329b825dc9ce0335d47edd0874687fc312d3d38fa48141a7353184
- SHA512
  
  0f75ddc93d98a954f7b908d503e7cad770513d237d86bb2440308b51ab3a91520cb2ae34a953a57e13885df8c7f551a13fc31dd3436198a5ddec0912d2dd9600
- SSDEEP
  
  49152:yo0/UeZ/NN/e+F8KoAVU0cuQiA4OChr1:K9e+584O
Score

10^/10

vidar 713 stealer pyinstaller spyware
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vidar713stealer

behavioral2

vidar713pyinstallerspywarestealer

© 2018-2025

Terms | Privacy