General

  • Target

    setup.exe

  • Size

    470KB

  • Sample

    230415-apgmxadh9t

  • MD5

    ddab7e661ea7e21ffeb5734215f57ae4

  • SHA1

    0fe903952c84f4ac149d499e3520b8c36f30059a

  • SHA256

    9d32dcd66ddeff3c376b08f6c76d28a3b577eebc2f0d8b9ba1781109ec3d6c62

  • SHA512

    7cb9f4983c5b46853a13f4f30669aa19703dd9fd724d7274f5775201e865b0f9027a6fe9c1c3726948d35b2be093a2e878b247eda2e493961ce5b62f03db5c74

  • SSDEEP

    6144:ThNurJhw3quvV0W17a8TLD9fg3atx6yAH9K0y231HzJbVnTyGhFCGclxi:ThSJy1vV087a2Dhg3atIE0y23pGGh

Malware Config

Extracted

Family

vidar

Version

3.4

Botnet

e749025c61b2caca10aa829a9e1a65a1

C2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes
  • profile_id_v2

    e749025c61b2caca10aa829a9e1a65a1

  • user_agent

    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Extracted

Family

laplas

C2

http://185.106.92.74

Attributes
  • api_key

    bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Targets

    • Target

      setup.exe

    • Size

      470KB

    • MD5

      ddab7e661ea7e21ffeb5734215f57ae4

    • SHA1

      0fe903952c84f4ac149d499e3520b8c36f30059a

    • SHA256

      9d32dcd66ddeff3c376b08f6c76d28a3b577eebc2f0d8b9ba1781109ec3d6c62

    • SHA512

      7cb9f4983c5b46853a13f4f30669aa19703dd9fd724d7274f5775201e865b0f9027a6fe9c1c3726948d35b2be093a2e878b247eda2e493961ce5b62f03db5c74

    • SSDEEP

      6144:ThNurJhw3quvV0W17a8TLD9fg3atx6yAH9K0y231HzJbVnTyGhFCGclxi:ThSJy1vV087a2Dhg3atIE0y23pGGh

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.