General

  • Target

    0dafbf8f10ab2260e9521f00a8761593446e4584327339852beca8f3af449f66

  • Size

    307KB

  • Sample

    230410-vptmpage9y

  • MD5

    3bbb5b1e5a089ac75f370d80f1414901

  • SHA1

    e33dcd8b678ca8b72bdb596f024687588320b732

  • SHA256

    0dafbf8f10ab2260e9521f00a8761593446e4584327339852beca8f3af449f66

  • SHA512

    b74c122d18922e3d4a86bc277ccdc83988240d996acc79125592c166bb91230665d4c0b29a284c982496089e61672ce39989fc36eb4966ab9cfcaaba1fecdc6b

  • SSDEEP

    6144:S28Ed+rCJCYaISiVkNIVHSYeICIZxs6RX98H1wQUtT:4fxPINSSVHSnICCRqH1ET

Malware Config

Extracted

Family

vidar

Version

3.4

Botnet

e749025c61b2caca10aa829a9e1a65a1

C2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes
  • profile_id_v2

    e749025c61b2caca10aa829a9e1a65a1

  • user_agent

    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Extracted

Family

laplas

C2

http://185.106.92.74

Attributes
  • api_key

    bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Targets

    • Target

      0dafbf8f10ab2260e9521f00a8761593446e4584327339852beca8f3af449f66

    • Size

      307KB

    • MD5

      3bbb5b1e5a089ac75f370d80f1414901

    • SHA1

      e33dcd8b678ca8b72bdb596f024687588320b732

    • SHA256

      0dafbf8f10ab2260e9521f00a8761593446e4584327339852beca8f3af449f66

    • SHA512

      b74c122d18922e3d4a86bc277ccdc83988240d996acc79125592c166bb91230665d4c0b29a284c982496089e61672ce39989fc36eb4966ab9cfcaaba1fecdc6b

    • SSDEEP

      6144:S28Ed+rCJCYaISiVkNIVHSYeICIZxs6RX98H1wQUtT:4fxPINSSVHSnICCRqH1ET

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks