vidar | 017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455 | Triage

Submit
Reports

Overview

overview

Static

static

3

017b15febc...55.exe

windows7-x64

017b15febc...55.exe

windows10-2004-x64

Sharing

General

Target

017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
Size

5.5MB
Sample

240323-ce66xsef5w
MD5

2b74fd898c6ca79faa64f3d9cae268d4
SHA1

206353bb5b604968e4821e115748f9aa3df6a671
SHA256

017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455
SHA512

d7e7744acf93868df00ac8be04dd4f35dbd9ec984f69899fa815692b41911f3a7dc8d81d2f12ee72a6b945f83db21fc50665769da5d3fb205ef25b8ddd151ac7
SSDEEP

98304:QoxgTUyKDV4dn82Ytf6IkQHWmXneKPpfmncntCkHx+Ji3MLepmWr34Dfr:NyKx4dn82Ytyz1yNpfmn+tCux+8m9M4D

Score

10^/10

vidar d165eae423b0d6c5abd85327c20d845d evasion persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe

Resource

win7-20240221-en

vidar d165eae423b0d6c5abd85327c20d845d evasion persistence stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe

Resource

win10v2004-20240226-en

vidar d165eae423b0d6c5abd85327c20d845d evasion persistence stealer

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Extracted

Family

vidar

Version

8.4

Botnet

d165eae423b0d6c5abd85327c20d845d

C2

https://steamcommunity.com/profiles/76561199654112719

https://t.me/r2d0s

Attributes

profile_id_v2
d165eae423b0d6c5abd85327c20d845d
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0

Targets

- Target
  
  017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
- Size
  
  5.5MB
- MD5
  
  2b74fd898c6ca79faa64f3d9cae268d4
- SHA1
  
  206353bb5b604968e4821e115748f9aa3df6a671
- SHA256
  
  017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455
- SHA512
  
  d7e7744acf93868df00ac8be04dd4f35dbd9ec984f69899fa815692b41911f3a7dc8d81d2f12ee72a6b945f83db21fc50665769da5d3fb205ef25b8ddd151ac7
- SSDEEP
  
  98304:QoxgTUyKDV4dn82Ytf6IkQHWmXneKPpfmncntCkHx+Ji3MLepmWr34Dfr:NyKx4dn82Ytyz1yNpfmn+tCux+8m9M4D
Score

10^/10

vidar d165eae423b0d6c5abd85327c20d845d evasion persistence stealer
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Detects Windows executables referencing non-Windows User-Agents
- Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

vidard165eae423b0d6c5abd85327c20d845devasionpersistencestealer

behavioral2

vidard165eae423b0d6c5abd85327c20d845devasionpersistencestealer

© 2018-2024

Terms | Privacy