Overview

overview

10

Static

static

10

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e8324602f5fe73ef4f3d40d6dccea2e532e5f72a65d5dfd6a8916c628dfde5ed

  • Size

    341KB

  • Sample

    230510-vlsafshc79

  • MD5

    6d236e9e66badd330cbf2982fe0bf9fb

  • SHA1

    2f275a5f83d8807ec0321e1e9b667271db34903f

  • SHA256

    e8324602f5fe73ef4f3d40d6dccea2e532e5f72a65d5dfd6a8916c628dfde5ed

  • SHA512

    3168daf9754fd614d8c4968bf12d9527050f0bf3aec144b6743193e19d40d023cefad88d1d7d1adebbd2f5002b5a81261189862394ffef84df33571cb0950dd8

  • SSDEEP

    6144:Lua5z4XeLqMVc2Uc1ax/QfTyuAlHKdlJP0K8ah6wu2Ai0qvF:LV5z4XPMPA/QryvodlJP0K8TOF

Score
10/10
vidarfc67c63025837fde307ba18d95f5f729discoveryevasionspywarestealer

Malware Config

Extracted

Family

vidar

Version

3.8

Botnet

fc67c63025837fde307ba18d95f5f729

C2

https://steamcommunity.com/profiles/76561198272578552

https://t.me/libpcre
Attributes
  • profile_id_v2

    fc67c63025837fde307ba18d95f5f729

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7

Targets

    • Target

      e8324602f5fe73ef4f3d40d6dccea2e532e5f72a65d5dfd6a8916c628dfde5ed

    • Size

      341KB

    • MD5

      6d236e9e66badd330cbf2982fe0bf9fb

    • SHA1

      2f275a5f83d8807ec0321e1e9b667271db34903f

    • SHA256

      e8324602f5fe73ef4f3d40d6dccea2e532e5f72a65d5dfd6a8916c628dfde5ed

    • SHA512

      3168daf9754fd614d8c4968bf12d9527050f0bf3aec144b6743193e19d40d023cefad88d1d7d1adebbd2f5002b5a81261189862394ffef84df33571cb0950dd8

    • SSDEEP

      6144:Lua5z4XeLqMVc2Uc1ax/QfTyuAlHKdlJP0K8ah6wu2Ai0qvF:LV5z4XPMPA/QryvodlJP0K8TOF

    Score
    10/10
    discoveryevasionspywarestealer

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks