Overview

overview

10

Static

static

1

file.exe

windows7-x64

1

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    1.7MB

  • Sample

    230323-nat7cafc27

  • MD5

    6879c0e92290ed7a0e289cc3aaedc855

  • SHA1

    142ec4479eab773d71ef7b2a76425c039b45fc1b

  • SHA256

    7cf4bbf990447d72bd9d0ba0a19d824f8b598b4a8759cec8e53f92c2db9a221b

  • SHA512

    99b9339c3db036c30146057caaf15e3b4b3aaacb82123802af677406aaa5646ece4c9349daa97faff2d740b43bf19b0dfe39d492cdf7d1af19c41ce0959dbacd

  • SSDEEP

    49152:oylp0eRr/wxlEr1k68gUOGWVwEEEEGoqFdC8:oyJRr/Qi1kpR1WVwEEEEGoqFd3

Score
10/10
lgoogloadervidarba1fc89d9f7df84dadf34886aabb246cdownloaderspywarestealer

Malware Config

Extracted

Family

vidar

Version

3.1

Botnet

ba1fc89d9f7df84dadf34886aabb246c

C2

https://t.me/owned001

http://65.109.236.2:80

https://t.me/tabootalks

https://steamcommunity.com/profiles/76561199472266392

http://135.181.26.183:80
Attributes
  • profile_id_v2

    ba1fc89d9f7df84dadf34886aabb246c

Targets

    • Target

      file.exe

    • Size

      1.7MB

    • MD5

      6879c0e92290ed7a0e289cc3aaedc855

    • SHA1

      142ec4479eab773d71ef7b2a76425c039b45fc1b

    • SHA256

      7cf4bbf990447d72bd9d0ba0a19d824f8b598b4a8759cec8e53f92c2db9a221b

    • SHA512

      99b9339c3db036c30146057caaf15e3b4b3aaacb82123802af677406aaa5646ece4c9349daa97faff2d740b43bf19b0dfe39d492cdf7d1af19c41ce0959dbacd

    • SSDEEP

      49152:oylp0eRr/wxlEr1k68gUOGWVwEEEEGoqFdC8:oyJRr/Qi1kpR1WVwEEEEGoqFd3

    Score
    10/10
    lgoogloadervidarba1fc89d9f7df84dadf34886aabb246cdownloaderspywarestealer

    • Detects LgoogLoader payload

    • LgoogLoader

      A downloader capable of dropping and executing other malware families.

      downloaderlgoogloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Loads dropped DLL

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks