vidar | 017174414fecd8358abc4568243f2731ac37ec1a42c6429939983799e9a9c98d | Triage

Submit
Reports

Overview

overview

Static

static

7

9ee64b8dc1...9d.exe

windows7-x64

9ee64b8dc1...9d.exe

windows10-2004-x64

Sharing

General

Target

c8912fe8e08b4e0947b0c56201485581.bin
Size

3.8MB
Sample

230327-cnpcgabc37
MD5

6b92a19a4e497b597012fff34af29913
SHA1

c128e0c9efd25b81b355bc6d9f2dadf93b9b0b7f
SHA256

017174414fecd8358abc4568243f2731ac37ec1a42c6429939983799e9a9c98d
SHA512

c299fdca649d84e37a6f29874e9fb33877bc54756250b439fd8b3fd8443eb162b58e557a4820f3eee773b26c8d288ced11d0c764a54ea567ff342c54b2dfc86c
SSDEEP

98304:sKdSaidbpJpQnyxi5+gqdkkWUTJviI8CDqGjOlGa207D:sKd4F3sV3q6kHVEG/y

Score

10^/10

vidar 20f95c4f85151b21c48a8766fbd2d32d discovery spyware stealer vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

9ee64b8dc1af383e25ca542f9ede7a8b649c8b1477012c39fca179637fec289d.exe

Resource

win7-20230220-en

vidar 20f95c4f85151b21c48a8766fbd2d32d spyware stealer vmprotect

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

9ee64b8dc1af383e25ca542f9ede7a8b649c8b1477012c39fca179637fec289d.exe

Resource

win10v2004-20230220-en

vidar 20f95c4f85151b21c48a8766fbd2d32d discovery spyware stealer vmprotect

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

vidar

Version

3.1

Botnet

20f95c4f85151b21c48a8766fbd2d32d

C2

https://steamcommunity.com/profiles/76561199472266392

https://t.me/tabootalks

http://135.181.26.183:80

Attributes

profile_id_v2
20f95c4f85151b21c48a8766fbd2d32d
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79

Targets

- Target
  
  9ee64b8dc1af383e25ca542f9ede7a8b649c8b1477012c39fca179637fec289d.exe
- Size
  
  4.0MB
- MD5
  
  c8912fe8e08b4e0947b0c56201485581
- SHA1
  
  2699d925e8a1708e86afac0f65d8e4797126fe90
- SHA256
  
  9ee64b8dc1af383e25ca542f9ede7a8b649c8b1477012c39fca179637fec289d
- SHA512
  
  c6eca8af85ceeec0a0221a067196bb17ed09bb00931371f79d262d53efcff405c38ea93bb9189d791eb3b358c121a9ec4475f754d1ea92045deff2de0426b70f
- SSDEEP
  
  98304:wqjAMzqBA3pR8BG0Zu+wExyDfpvo0fc/jc/kA3:w4pzqCCBG05w1DRATct3
Score

10^/10

vidar 20f95c4f85151b21c48a8766fbd2d32d spyware stealer vmprotect discovery
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vidar20f95c4f85151b21c48a8766fbd2d32dspywarestealervmprotect

behavioral2

vidar20f95c4f85151b21c48a8766fbd2d32ddiscoveryspywarestealervmprotect

© 2018-2024

Terms | Privacy