Overview

overview

10

Static

static

1

file.exe

windows7-x64

1

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    1.7MB

  • Sample

    230327-qrs2qaff9z

  • MD5

    7811c8e24019a783e1c72e7eeb58215f

  • SHA1

    d21422ed627d291a80e08fa77d3cfc126e94d4cc

  • SHA256

    b70354fa72344ed5262ef55243ab71e20149fcd87ec772b4b77ea44c93ff79b8

  • SHA512

    1f6299d5df5fa6c59f5cefe1a4b64e19511e5308c82d279d237bf1d6492fcc7e01eff349382c9dfddaf51e01f55d735849c6ba351f86a4fa437dae811efbcf10

  • SSDEEP

    24576:IzYyxHFKIlJX0oXMAsksIyESF/PvWGS5JcT1pWNpFj6zpe3rNNyJfOxmsAYQCOUO:+YyjxM3kMF/Eb+o3QYQJURnCyZrxS

Score
10/10
lgoogloadervidarba1fc89d9f7df84dadf34886aabb246cdownloaderspywarestealer

Malware Config

Extracted

Family

vidar

Version

3.1

Botnet

ba1fc89d9f7df84dadf34886aabb246c

C2

https://t.me/owned001

http://65.109.236.2:80

https://t.me/tabootalks

https://steamcommunity.com/profiles/76561199472266392

http://135.181.26.183:80
Attributes
  • profile_id_v2

    ba1fc89d9f7df84dadf34886aabb246c

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79

Targets

    • Target

      file.exe

    • Size

      1.7MB

    • MD5

      7811c8e24019a783e1c72e7eeb58215f

    • SHA1

      d21422ed627d291a80e08fa77d3cfc126e94d4cc

    • SHA256

      b70354fa72344ed5262ef55243ab71e20149fcd87ec772b4b77ea44c93ff79b8

    • SHA512

      1f6299d5df5fa6c59f5cefe1a4b64e19511e5308c82d279d237bf1d6492fcc7e01eff349382c9dfddaf51e01f55d735849c6ba351f86a4fa437dae811efbcf10

    • SSDEEP

      24576:IzYyxHFKIlJX0oXMAsksIyESF/PvWGS5JcT1pWNpFj6zpe3rNNyJfOxmsAYQCOUO:+YyjxM3kMF/Eb+o3QYQJURnCyZrxS

    Score
    10/10
    lgoogloadervidarba1fc89d9f7df84dadf34886aabb246cdownloaderspywarestealer

    • Detects LgoogLoader payload

    • LgoogLoader

      A downloader capable of dropping and executing other malware families.

      downloaderlgoogloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Loads dropped DLL

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks