vidar | 828ad6fd2f0a2fdf7ee1826628156cf90e8fbc312847f47c3ea5c508977a3591 | Triage

Sharing

General

Target

GTA5 Mod Menu.rar
Size

6.3MB
Sample

230404-rbjzjsfd88
MD5

ec401275bb67cd6afc4c2a9ac769a432
SHA1

363191aaf7e062dcd3a6879c70546affa286eeff
SHA256

828ad6fd2f0a2fdf7ee1826628156cf90e8fbc312847f47c3ea5c508977a3591
SHA512

12cb728ddeb43b43401bd4a523a4863696800fe991299fde5b07cdc10adf424ef754967c11550300bbbc48256b3ceb06f40fc039bbcb97cbd4bc202a931ab657
SSDEEP

98304:7n3wLdHdhd/ZrNPT1wF43yyBukFTglMof5wDzArpN7PZ6CESZmlUbzy+ZE0G52Gx:7ALFdR9BuKlu5wDzAViSEl+zyyI5234

Score

10^/10

vidar 49bd1304650cc9c7f3f131428d9e16c2 bootkit evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

3.3

Botnet

49bd1304650cc9c7f3f131428d9e16c2

C2

https://steamcommunity.com/profiles/76561199492257783

https://t.me/justsometg

Attributes

profile_id_v2
49bd1304650cc9c7f3f131428d9e16c2
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Targets

- Target
  
  Setup.exe
- Size
  
  1023.0MB
- MD5
  
  ef8d846aec55eddbbfa2472f9d66c2e7
- SHA1
  
  7e75e159b0a62a62d8d775b6dcd4682b59122c28
- SHA256
  
  d9a7ab42bcc0d232c84718ef977a0addc3bd7efd184970e88c6f5b85f03c27b1
- SHA512
  
  791f226bcda1ab1ec0cbaba03ea00ee56325bffbc3b0ee8dd6010d86cc4190c4e8054422e9a1fd9955b42366cb06ebedd0c49ad8b3ed13d17398d23b63fa0314
- SSDEEP
  
  196608:4+hMmu0Vro/dFqg4cF3VjgY7lEGpDltGgC891SWAo0G:41m3OMEljl7lPftGgPuDr
Score

10^/10

vidar 49bd1304650cc9c7f3f131428d9e16c2 bootkit evasion persistence spyware stealer trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vidar49bd1304650cc9c7f3f131428d9e16c2bootkitevasionpersistencespywarestealertrojan

behavioral2

bootkitevasionpersistencetrojan