General

  • Target

    dd9021852d9fb9c0560e195bddce79ee7a33cdef19b25ebed4cb442b865fc6d6

  • Size

    323KB

  • Sample

    230412-ce98ksgh32

  • MD5

    7833a64626dcb1acf40d2c42e1baa5b5

  • SHA1

    476d6dbaeac411af43ee8f0d69533ccdaaf36369

  • SHA256

    dd9021852d9fb9c0560e195bddce79ee7a33cdef19b25ebed4cb442b865fc6d6

  • SHA512

    0d8156fdc07493cc7394c5941195691ccfc84878c972d996e6ccedd3d7f5e93930a744790970b433c5212140859dea8be51f907c123c24c8b23e33a423fdd8d9

  • SSDEEP

    6144:bYUh59fn+oM9ZgPI0XGCROT4OFU4MT+LMsyj003V55wh:5z9WR9ZgP7XVOTJFUZTZse0Y

Malware Config

Extracted

Family

vidar

Version

3.4

Botnet

e749025c61b2caca10aa829a9e1a65a1

C2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes
  • profile_id_v2

    e749025c61b2caca10aa829a9e1a65a1

  • user_agent

    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Extracted

Family

laplas

C2

http://185.106.92.74

Attributes
  • api_key

    bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Targets

    • Target

      dd9021852d9fb9c0560e195bddce79ee7a33cdef19b25ebed4cb442b865fc6d6

    • Size

      323KB

    • MD5

      7833a64626dcb1acf40d2c42e1baa5b5

    • SHA1

      476d6dbaeac411af43ee8f0d69533ccdaaf36369

    • SHA256

      dd9021852d9fb9c0560e195bddce79ee7a33cdef19b25ebed4cb442b865fc6d6

    • SHA512

      0d8156fdc07493cc7394c5941195691ccfc84878c972d996e6ccedd3d7f5e93930a744790970b433c5212140859dea8be51f907c123c24c8b23e33a423fdd8d9

    • SSDEEP

      6144:bYUh59fn+oM9ZgPI0XGCROT4OFU4MT+LMsyj003V55wh:5z9WR9ZgP7XVOTJFUZTZse0Y

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.