vidar | 159d98362df9853029651ed00cc363dbada760b2427150ffa23e7827e205b882 | Triage

Sharing

General

Target

532c1c8d138de39ab85eab26d237e864
Size

617KB
Sample

230412-pznxascc88
MD5

532c1c8d138de39ab85eab26d237e864
SHA1

75404e49bda38131263d9248680f00095a2c7c10
SHA256

159d98362df9853029651ed00cc363dbada760b2427150ffa23e7827e205b882
SHA512

a10275fafd5668019eb89d02fc3c3f1eedbd552b3561b777cb62c991f3f842aa5088cc7c6c0b19d962a74c5e4543fe32619f9c21299fea0c7dc19e0f523efc0f
SSDEEP

3072:LOhX0N7+f1E5FX4gjCO99PmzBxWkUDOmEORLOtLBCFTH9Vxr:ShEN7+W4gh99O+kU6JOJkITHp

Score

10^/10

vidar 0e17f083173cc2ea34d9ec9eba45b33f persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

3.4

Botnet

0e17f083173cc2ea34d9ec9eba45b33f

C2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes

profile_id_v2
0e17f083173cc2ea34d9ec9eba45b33f
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Targets

- Target
  
  532c1c8d138de39ab85eab26d237e864
- Size
  
  617KB
- MD5
  
  532c1c8d138de39ab85eab26d237e864
- SHA1
  
  75404e49bda38131263d9248680f00095a2c7c10
- SHA256
  
  159d98362df9853029651ed00cc363dbada760b2427150ffa23e7827e205b882
- SHA512
  
  a10275fafd5668019eb89d02fc3c3f1eedbd552b3561b777cb62c991f3f842aa5088cc7c6c0b19d962a74c5e4543fe32619f9c21299fea0c7dc19e0f523efc0f
- SSDEEP
  
  3072:LOhX0N7+f1E5FX4gjCO99PmzBxWkUDOmEORLOtLBCFTH9Vxr:ShEN7+W4gh99O+kU6JOJkITHp
Score

10^/10

persistence vidar 0e17f083173cc2ea34d9ec9eba45b33f spyware stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

vidar0e17f083173cc2ea34d9ec9eba45b33fpersistencespywarestealer