Overview

overview

10

Static

static

7

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Setup.exe

  • Size

    2.3MB

  • Sample

    230415-tc8emsef62

  • MD5

    97ea6f4c2e0cfb9770cb7bfdc353c36b

  • SHA1

    12448c9c25d5c7339bd845d4375d8433bed1a216

  • SHA256

    07bbf87fab1e4c25921db3c86c52affbf51727522e30baa9353fe7a5979c61f8

  • SHA512

    f58a568543fc53a2e414ce4928eda5433b903dbdbed931da34c6bc8c9a251f1c2f6b11e6ecbe68c2f6d4917e6ea525019fc8d4d10833a0e88e7f32610da923ac

  • SSDEEP

    49152:WWHPA8PAq5A1zmwILn0+3+5fYr7N9zm5Cd9z3EBiRKy3mJB:WWvVPA+MKwk09NY7N3d9z3E8RL2B

Score
10/10
vidar77d3e17ac7e9634fc0dfc5623380697aevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

vidar

Version

3.4

Botnet

77d3e17ac7e9634fc0dfc5623380697a

C2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs
Attributes
  • profile_id_v2

    77d3e17ac7e9634fc0dfc5623380697a

  • user_agent

    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Targets

    • Target

      Setup.exe

    • Size

      2.3MB

    • MD5

      97ea6f4c2e0cfb9770cb7bfdc353c36b

    • SHA1

      12448c9c25d5c7339bd845d4375d8433bed1a216

    • SHA256

      07bbf87fab1e4c25921db3c86c52affbf51727522e30baa9353fe7a5979c61f8

    • SHA512

      f58a568543fc53a2e414ce4928eda5433b903dbdbed931da34c6bc8c9a251f1c2f6b11e6ecbe68c2f6d4917e6ea525019fc8d4d10833a0e88e7f32610da923ac

    • SSDEEP

      49152:WWHPA8PAq5A1zmwILn0+3+5fYr7N9zm5Cd9z3EBiRKy3mJB:WWvVPA+MKwk09NY7N3d9z3E8RL2B

    Score
    10/10
    vidar77d3e17ac7e9634fc0dfc5623380697aevasionspywarestealerthemidatrojan

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Uses the VBS compiler for execution

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks