General
-
Target
D7C08A686196D6C28D4F79588AEC7A0CA0123E35C57A9.exe
-
Size
558KB
-
Sample
230601-q5s9msee74
-
MD5
e91cc2e537362de1efdbcfd78cc6c662
-
SHA1
0537b130c780406acbb7ecfc85ce103f944f41c7
-
SHA256
d7c08a686196d6c28d4f79588aec7a0ca0123e35c57a9b1362e9ac0e381c176b
-
SHA512
25658cabfefb93ec031a7cb6837ce81028df3873f0c8191361a44c275573c77cdf038bf01b00e121e10565cf49768e45ba9442cb19f9772daaa50244b08ebd8f
-
SSDEEP
12288:w8V18UCk9UOjfCTBNZtZYRD8pd0yyC74awwi5fK2:rf9/+3lKDcyVG4Jwi5fn
Malware Config
Extracted
vidar
9
237
http://hotticketsale.com/
-
profile_id
237
Targets
-
-
Target
D7C08A686196D6C28D4F79588AEC7A0CA0123E35C57A9.exe
-
Size
558KB
-
MD5
e91cc2e537362de1efdbcfd78cc6c662
-
SHA1
0537b130c780406acbb7ecfc85ce103f944f41c7
-
SHA256
d7c08a686196d6c28d4f79588aec7a0ca0123e35c57a9b1362e9ac0e381c176b
-
SHA512
25658cabfefb93ec031a7cb6837ce81028df3873f0c8191361a44c275573c77cdf038bf01b00e121e10565cf49768e45ba9442cb19f9772daaa50244b08ebd8f
-
SSDEEP
12288:w8V18UCk9UOjfCTBNZtZYRD8pd0yyC74awwi5fK2:rf9/+3lKDcyVG4Jwi5fn
Score10/10-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-