vidar | 9ee64b8dc1af383e25ca542f9ede7a8b649c8b1477012c39fca179637fec289d | Triage

Submit
Reports

Overview

overview

Static

static

7

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

4.0MB
Sample

230325-x53lmseb35
MD5

c8912fe8e08b4e0947b0c56201485581
SHA1

2699d925e8a1708e86afac0f65d8e4797126fe90
SHA256

9ee64b8dc1af383e25ca542f9ede7a8b649c8b1477012c39fca179637fec289d
SHA512

c6eca8af85ceeec0a0221a067196bb17ed09bb00931371f79d262d53efcff405c38ea93bb9189d791eb3b358c121a9ec4475f754d1ea92045deff2de0426b70f
SSDEEP

98304:wqjAMzqBA3pR8BG0Zu+wExyDfpvo0fc/jc/kA3:w4pzqCCBG05w1DRATct3

Score

10^/10

vidar 20f95c4f85151b21c48a8766fbd2d32d discovery spyware stealer vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20230220-en

vidar 20f95c4f85151b21c48a8766fbd2d32d stealer vmprotect

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20230220-en

vidar 20f95c4f85151b21c48a8766fbd2d32d discovery spyware stealer vmprotect

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

vidar

Version

3.1

Botnet

20f95c4f85151b21c48a8766fbd2d32d

C2

https://steamcommunity.com/profiles/76561199472266392

https://t.me/tabootalks

http://135.181.26.183:80

Attributes

profile_id_v2
20f95c4f85151b21c48a8766fbd2d32d
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79

Targets

- Target
  
  file.exe
- Size
  
  4.0MB
- MD5
  
  c8912fe8e08b4e0947b0c56201485581
- SHA1
  
  2699d925e8a1708e86afac0f65d8e4797126fe90
- SHA256
  
  9ee64b8dc1af383e25ca542f9ede7a8b649c8b1477012c39fca179637fec289d
- SHA512
  
  c6eca8af85ceeec0a0221a067196bb17ed09bb00931371f79d262d53efcff405c38ea93bb9189d791eb3b358c121a9ec4475f754d1ea92045deff2de0426b70f
- SSDEEP
  
  98304:wqjAMzqBA3pR8BG0Zu+wExyDfpvo0fc/jc/kA3:w4pzqCCBG05w1DRATct3
Score

10^/10

vidar 20f95c4f85151b21c48a8766fbd2d32d stealer vmprotect discovery spyware
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vidar20f95c4f85151b21c48a8766fbd2d32dstealervmprotect

behavioral2

vidar20f95c4f85151b21c48a8766fbd2d32ddiscoveryspywarestealervmprotect

© 2018-2024

Terms | Privacy