vidar | 5e34f09b2e0d1a442d029a9ca9aa0074d82bf577bb3f4c7a8cedb95314cd9be6 | Triage

Submit
Reports

Overview

overview

Static

static

3

017b15febc...55.exe

windows7-x64

017b15febc...55.exe

windows10-2004-x64

Sharing

General

Target

2b74fd898c6ca79faa64f3d9cae268d4.bin
Size

4.6MB
Sample

240324-brfn3aab6y
MD5

a892e5c86bcf8cb05545d2cf314a5cc7
SHA1

b4db9460d0f70042b11d264953aac57adcf52d75
SHA256

5e34f09b2e0d1a442d029a9ca9aa0074d82bf577bb3f4c7a8cedb95314cd9be6
SHA512

7275ebdb88a1393eed9f1f2a1ab7b720542d386a70540716258fd1ff176e4579162c8e08bb94cd434bd1aee4179af24d0af4984b582560adee52b1b4e65ecb3a
SSDEEP

98304:CKVwC7zHcFO3/UOmHk9ezL18EpO4KajkY74DtW3vjNRlxmc0x5h0j4d:JT8G/UOmHk9ezL18AOxSkeQQbCc0E4d

Score

10^/10

vidar xmrig d165eae423b0d6c5abd85327c20d845d evasion miner persistence stealer upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe

Resource

win7-20231129-en

vidar xmrig d165eae423b0d6c5abd85327c20d845d evasion miner persistence stealer upx

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe

Resource

win10v2004-20240226-en

vidar d165eae423b0d6c5abd85327c20d845d evasion persistence stealer

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

vidar

Version

8.4

Botnet

d165eae423b0d6c5abd85327c20d845d

C2

https://steamcommunity.com/profiles/76561199654112719

https://t.me/r2d0s

Attributes

profile_id_v2
d165eae423b0d6c5abd85327c20d845d
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0

Targets

- Target
  
  017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
- Size
  
  5.5MB
- MD5
  
  2b74fd898c6ca79faa64f3d9cae268d4
- SHA1
  
  206353bb5b604968e4821e115748f9aa3df6a671
- SHA256
  
  017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455
- SHA512
  
  d7e7744acf93868df00ac8be04dd4f35dbd9ec984f69899fa815692b41911f3a7dc8d81d2f12ee72a6b945f83db21fc50665769da5d3fb205ef25b8ddd151ac7
- SSDEEP
  
  98304:QoxgTUyKDV4dn82Ytf6IkQHWmXneKPpfmncntCkHx+Ji3MLepmWr34Dfr:NyKx4dn82Ytyz1yNpfmn+tCux+8m9M4D
Score

10^/10

vidar xmrig d165eae423b0d6c5abd85327c20d845d evasion miner persistence stealer upx
- Detect Vidar Stealer
  stealer
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

vidarxmrigd165eae423b0d6c5abd85327c20d845devasionminerpersistencestealerupx

behavioral2

vidard165eae423b0d6c5abd85327c20d845devasionpersistencestealer

© 2018-2024

Terms | Privacy