Overview

overview

10

Static

static

7

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    2.9MB

  • Sample

    230217-xfrg3sgg99

  • MD5

    a27435d71d3c86e923a81fd66d5118bf

  • SHA1

    9d4ed8fb149d0dc4de28e41e66ac17b849b8fcbd

  • SHA256

    ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d

  • SHA512

    670b7ef2f6a139cd01909e3f385ddf855fb61589b9ec0d6aa001abbe773705e8e4b10edd9bc23734ae61e8b0e8d7e8e13e9011e0c22979a1dc5a20b91715a890

  • SSDEEP

    49152:yUwJvVQThRGeWlW6Bj68c5xI5hH0sIacQXfJgiE5VmJsQQlObhPk0zzxcXG+ojxo:nwzQT7obB3hDJpEmJwU1PXzqXx

Score
10/10
vidar813discoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

vidar

Version

2.5

Botnet

813

Attributes
  • profile_id

    813

Targets

    • Target

      file.exe

    • Size

      2.9MB

    • MD5

      a27435d71d3c86e923a81fd66d5118bf

    • SHA1

      9d4ed8fb149d0dc4de28e41e66ac17b849b8fcbd

    • SHA256

      ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d

    • SHA512

      670b7ef2f6a139cd01909e3f385ddf855fb61589b9ec0d6aa001abbe773705e8e4b10edd9bc23734ae61e8b0e8d7e8e13e9011e0c22979a1dc5a20b91715a890

    • SSDEEP

      49152:yUwJvVQThRGeWlW6Bj68c5xI5hH0sIacQXfJgiE5VmJsQQlObhPk0zzxcXG+ojxo:nwzQT7obB3hDJpEmJwU1PXzqXx

    Score
    10/10
    vidar813evasionspywarestealerthemidatrojandiscovery

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks