General

  • Target

    017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe

  • Size

    5.5MB

  • Sample

    240323-ce66xsef5w

  • MD5

    2b74fd898c6ca79faa64f3d9cae268d4

  • SHA1

    206353bb5b604968e4821e115748f9aa3df6a671

  • SHA256

    017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455

  • SHA512

    d7e7744acf93868df00ac8be04dd4f35dbd9ec984f69899fa815692b41911f3a7dc8d81d2f12ee72a6b945f83db21fc50665769da5d3fb205ef25b8ddd151ac7

  • SSDEEP

    98304:QoxgTUyKDV4dn82Ytf6IkQHWmXneKPpfmncntCkHx+Ji3MLepmWr34Dfr:NyKx4dn82Ytyz1yNpfmn+tCux+8m9M4D

Malware Config

Extracted

Family

vidar

Version

8.4

Botnet

d165eae423b0d6c5abd85327c20d845d

C2

https://steamcommunity.com/profiles/76561199654112719

https://t.me/r2d0s

Attributes
  • profile_id_v2

    d165eae423b0d6c5abd85327c20d845d

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0

Targets

    • Target

      017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe

    • Size

      5.5MB

    • MD5

      2b74fd898c6ca79faa64f3d9cae268d4

    • SHA1

      206353bb5b604968e4821e115748f9aa3df6a671

    • SHA256

      017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455

    • SHA512

      d7e7744acf93868df00ac8be04dd4f35dbd9ec984f69899fa815692b41911f3a7dc8d81d2f12ee72a6b945f83db21fc50665769da5d3fb205ef25b8ddd151ac7

    • SSDEEP

      98304:QoxgTUyKDV4dn82Ytf6IkQHWmXneKPpfmncntCkHx+Ji3MLepmWr34Dfr:NyKx4dn82Ytyz1yNpfmn+tCux+8m9M4D

    • Detect Vidar Stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks