Overview

overview

10

Static

static

7

f45a8e0407...63.exe

windows7-x64

10

f45a8e0407...63.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    990824b28b1db8f0e38bec6aebeaf1b2.bin

  • Size

    5.1MB

  • Sample

    230924-cfcnpsde45

  • MD5

    687061b47bf902e8c2850ef395d55e74

  • SHA1

    ccaa4c235aeea55d3d6763d3f016a5b1488ddded

  • SHA256

    1b9b20bf3cb028faa65a0a93602711ac4402ddf4c22b3708bd9e1246b65f6cd8

  • SHA512

    9be16ac460787a27e5f0c53fd30cf7bb76c90f5b918370019e3754cec33519b2f91f871c7ee5743b00dbab175794292eb6c1cfd66f98d7f269b29c4383bd550a

  • SSDEEP

    98304:yXDYFEr/5s7NGfpIAk0+e7Ze2zhEIpJrNV8xzB:qVhs7NgpIAkzeIYEIpAB

Score
10/10
vidar348bd4740381edfdd4d5e8143ef4a08ediscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

vidar

Version

5.7

Botnet

348bd4740381edfdd4d5e8143ef4a08e

C2

https://steamcommunity.com/profiles/76561199553369541

https://t.me/dastanatg
Attributes
  • profile_id_v2

    348bd4740381edfdd4d5e8143ef4a08e

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.7 Safari/605.1.75

Targets

    • Target

      f45a8e04076925bd0d3990adaa82182945dad0c72d35873a108eb2cdefe29063.exe

    • Size

      5.3MB

    • MD5

      990824b28b1db8f0e38bec6aebeaf1b2

    • SHA1

      75b2904f3481e5468e3076b842ff529b23e2d20b

    • SHA256

      f45a8e04076925bd0d3990adaa82182945dad0c72d35873a108eb2cdefe29063

    • SHA512

      8a8637b4c50c9f92d42a4bae02dbe8e19d7867d91a542b95916d8de88eaf1dba5e7ede0b82934d6015e90d6b355a0193bfe6a941ffbb72ba97f9ee7e59c172f8

    • SSDEEP

      98304:bz+UuR7m7n5+OPAZU+leHfQkjA1JAE5lPKn4m/V38fque1VIL:h8yn5+vZ6ALKnjyfRUI

    Score
    10/10
    vidar348bd4740381edfdd4d5e8143ef4a08ediscoveryevasionspywarestealerthemidatrojan

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks