Overview

overview

10

Static

static

1

CPU-Z.exe

windows7-x64

10

CPU-Z.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Setup.zip

  • Size

    10.2MB

  • Sample

    230203-r5ftzsfg59

  • MD5

    68b7be335a7aba9c8f2a3b3662de155e

  • SHA1

    12b597976c601d10f0f38ec2515745a0c0969705

  • SHA256

    c2194401e99bfeeb2f01be021903879abb3b9679d50da5a528619a4bee314d57

  • SHA512

    01cf13beabc28834cb5e488858c195462c1697dce39d11ed334339f6e84b4e9fa98439ab95584ce6ffca0c342e37ddc1abdb82020936f3619018f5251ed24f45

  • SSDEEP

    196608:y1fHHu3urHmay7xuATM22sJwLXRrGO+cf7CU0dJnuLxKB0/:K4KG7xRTFrJwLXZCz8M0/

Score
10/10
purecryptervidar682discoverydownloaderloaderspywarestealer

Malware Config

Extracted

Family

vidar

Version

2.3

Botnet

682

C2

http://46.151.26.234:80

Attributes
  • profile_id

    682

Targets

    • Target

      CPU-Z.exe

    • Size

      683.7MB

    • MD5

      3cdb58d52e9b7c5ca06ff327d8010f9a

    • SHA1

      add127cbecef9f393ae0a40f7c17c84adb5c5b5f

    • SHA256

      297266aaa8d272f87c66e3ac63e58aa9411718eb75cab08f90ee1c64c099ed94

    • SHA512

      8fbeaf7c2e0dfbfe0f75f77c8f2e7ab000db07c5b603c9e3f8ac215e23cf5009adf118027589a18665c54431df35454811cc2e4a3ba7af6379723342cf4cbc26

    • SSDEEP

      1536:tDy0zIjGWZXMig6NCDZq68SVciCz9WkngFSc6gJN+80+3vIDix1oHwJ:E0zAGWzboWiBjNl+8/7x2K

    Score
    10/10
    purecryptervidar682discoverydownloaderloaderspywarestealer

    • Detect PureCrypter injector

      loader

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

      loaderdownloaderpurecrypter

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks