General

  • Target

    2453f0f1232d73d823f5bd2dadf48fb18cff82604d1613d1707ae6fb451743e4.exe

  • Size

    5.4MB

  • Sample

    230327-c9ep6abd44

  • MD5

    0590b2409eb38418e064b552945b3f91

  • SHA1

    ddf8f28eb904f387dd9430082fc8abac98c61efa

  • SHA256

    2453f0f1232d73d823f5bd2dadf48fb18cff82604d1613d1707ae6fb451743e4

  • SHA512

    d59559505434143924e56f4e3e82a1f42eea0fc7a8ffa226d9fc2e6c292e8f2879260326c8e2ac474eb1cf310c52877ae9ce0124b8245eb998d2dbcf2db698c2

  • SSDEEP

    98304:bWFfqP11weDNI1HxzWga8eINvg/Tig3cxq1p0rj/KWCdo0qZIEBdBH1:CBqHweDNI1HxioZarigswpCC+TP

Malware Config

Extracted

Family

vidar

Version

3.1

Botnet

20f95c4f85151b21c48a8766fbd2d32d

C2

https://steamcommunity.com/profiles/76561199472266392

https://t.me/tabootalks

http://135.181.26.183:80

Attributes
  • profile_id_v2

    20f95c4f85151b21c48a8766fbd2d32d

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79

Targets

    • Target

      2453f0f1232d73d823f5bd2dadf48fb18cff82604d1613d1707ae6fb451743e4.exe

    • Size

      5.4MB

    • MD5

      0590b2409eb38418e064b552945b3f91

    • SHA1

      ddf8f28eb904f387dd9430082fc8abac98c61efa

    • SHA256

      2453f0f1232d73d823f5bd2dadf48fb18cff82604d1613d1707ae6fb451743e4

    • SHA512

      d59559505434143924e56f4e3e82a1f42eea0fc7a8ffa226d9fc2e6c292e8f2879260326c8e2ac474eb1cf310c52877ae9ce0124b8245eb998d2dbcf2db698c2

    • SSDEEP

      98304:bWFfqP11weDNI1HxzWga8eINvg/Tig3cxq1p0rj/KWCdo0qZIEBdBH1:CBqHweDNI1HxioZarigswpCC+TP

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Collection

Data from Local System

3
T1005

Tasks