Overview

overview

10

Static

static

3

gcapi.dll

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    gcapi.dll

  • Size

    385KB

  • Sample

    240211-v63a6acb35

  • MD5

    1ce7d5a1566c8c449d0f6772a8c27900

  • SHA1

    60854185f6338e1bfc7497fd41aa44c5c00d8f85

  • SHA256

    73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

  • SHA512

    7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

  • SSDEEP

    6144:Tv/ioKdMF+LZD/ZRj1vwWrrUFMNoz4pFGxjEB1NYAOrabN2GZvFcD7:Td+LZrNwWrrwMNoz4vG1OYZabtK7

Score
10/10
vidarzloadere0127784745c009143122ea0882115a4botnetdiscoverypersistenceransomwarestealertrojan

Malware Config

Extracted

Family

vidar

Version

7.7

Botnet

e0127784745c009143122ea0882115a4

C2

https://116.203.165.197

https://t.me/newagev

https://steamcommunity.com/profiles/76561199631487327
Attributes
  • profile_id_v2

    e0127784745c009143122ea0882115a4

Targets

    • Target

      gcapi.dll

    • Size

      385KB

    • MD5

      1ce7d5a1566c8c449d0f6772a8c27900

    • SHA1

      60854185f6338e1bfc7497fd41aa44c5c00d8f85

    • SHA256

      73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

    • SHA512

      7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

    • SSDEEP

      6144:Tv/ioKdMF+LZD/ZRj1vwWrrUFMNoz4pFGxjEB1NYAOrabN2GZvFcD7:Td+LZrNwWrrwMNoz4vG1OYZabtK7

    Score
    10/10
    vidarzloadere0127784745c009143122ea0882115a4botnetdiscoverypersistenceransomwarestealertrojan

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Renames multiple (80) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Modifies Installed Components in the registry

      persistence

    • Sets DLL path for service in the registry

      persistence

    • Sets service image path in registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

5
T1547

Registry Run Keys / Startup Folder

5
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

5
T1547

Registry Run Keys / Startup Folder

5
T1547.001

Defense Evasion

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

5
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks