General

  • Target

    Setup.zip

  • Size

    10.2MB

  • Sample

    230203-r5ftzsfg59

  • MD5

    68b7be335a7aba9c8f2a3b3662de155e

  • SHA1

    12b597976c601d10f0f38ec2515745a0c0969705

  • SHA256

    c2194401e99bfeeb2f01be021903879abb3b9679d50da5a528619a4bee314d57

  • SHA512

    01cf13beabc28834cb5e488858c195462c1697dce39d11ed334339f6e84b4e9fa98439ab95584ce6ffca0c342e37ddc1abdb82020936f3619018f5251ed24f45

  • SSDEEP

    196608:y1fHHu3urHmay7xuATM22sJwLXRrGO+cf7CU0dJnuLxKB0/:K4KG7xRTFrJwLXZCz8M0/

Malware Config

Extracted

Family

vidar

Version

2.3

Botnet

682

C2

http://46.151.26.234:80

Attributes
  • profile_id

    682

Targets

    • Target

      CPU-Z.exe

    • Size

      683.7MB

    • MD5

      3cdb58d52e9b7c5ca06ff327d8010f9a

    • SHA1

      add127cbecef9f393ae0a40f7c17c84adb5c5b5f

    • SHA256

      297266aaa8d272f87c66e3ac63e58aa9411718eb75cab08f90ee1c64c099ed94

    • SHA512

      8fbeaf7c2e0dfbfe0f75f77c8f2e7ab000db07c5b603c9e3f8ac215e23cf5009adf118027589a18665c54431df35454811cc2e4a3ba7af6379723342cf4cbc26

    • SSDEEP

      1536:tDy0zIjGWZXMig6NCDZq68SVciCz9WkngFSc6gJN+80+3vIDix1oHwJ:E0zAGWzboWiBjNl+8/7x2K

    • Detect PureCrypter injector

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.