General

  • Target

    f45a8e04076925bd0d3990adaa82182945dad0c72d35873a108eb2cdefe29063

  • Size

    5.3MB

  • Sample

    230922-hwkxxagc82

  • MD5

    990824b28b1db8f0e38bec6aebeaf1b2

  • SHA1

    75b2904f3481e5468e3076b842ff529b23e2d20b

  • SHA256

    f45a8e04076925bd0d3990adaa82182945dad0c72d35873a108eb2cdefe29063

  • SHA512

    8a8637b4c50c9f92d42a4bae02dbe8e19d7867d91a542b95916d8de88eaf1dba5e7ede0b82934d6015e90d6b355a0193bfe6a941ffbb72ba97f9ee7e59c172f8

  • SSDEEP

    98304:bz+UuR7m7n5+OPAZU+leHfQkjA1JAE5lPKn4m/V38fque1VIL:h8yn5+vZ6ALKnjyfRUI

Malware Config

Extracted

Family

vidar

Version

5.7

Botnet

348bd4740381edfdd4d5e8143ef4a08e

C2

https://steamcommunity.com/profiles/76561199553369541

https://t.me/dastanatg

Attributes
  • profile_id_v2

    348bd4740381edfdd4d5e8143ef4a08e

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.7 Safari/605.1.75

Targets

    • Target

      f45a8e04076925bd0d3990adaa82182945dad0c72d35873a108eb2cdefe29063

    • Size

      5.3MB

    • MD5

      990824b28b1db8f0e38bec6aebeaf1b2

    • SHA1

      75b2904f3481e5468e3076b842ff529b23e2d20b

    • SHA256

      f45a8e04076925bd0d3990adaa82182945dad0c72d35873a108eb2cdefe29063

    • SHA512

      8a8637b4c50c9f92d42a4bae02dbe8e19d7867d91a542b95916d8de88eaf1dba5e7ede0b82934d6015e90d6b355a0193bfe6a941ffbb72ba97f9ee7e59c172f8

    • SSDEEP

      98304:bz+UuR7m7n5+OPAZU+leHfQkjA1JAE5lPKn4m/V38fque1VIL:h8yn5+vZ6ALKnjyfRUI

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks