Overview

overview

10

Static

static

3

@!#SETUP_F..._$.rar

windows10-2004-x64

3

Setup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    @!#SETUP_FILE_2024_PASSCODE_$.rar

  • Size

    23.5MB

  • Sample

    240428-vm7rjacf9y

  • MD5

    7611e93930a3ebfc3144343b30cd9dcd

  • SHA1

    2fcfefd406cfbade85a6e58aa06442bd925aeb5d

  • SHA256

    e8b27d9776228fec69909096f712fcbf90cd8a335394e3791ac3be7cb37b3556

  • SHA512

    93240b34e717a3c93d1ca7bdb25c7bbfc3bb5969c09c6dacc1dcb6b1e92577da311e006442ce1a5d28c99625abafa666a76b33b4f80f9195669d2702dc7d3673

  • SSDEEP

    393216:FK6+W0Ec0JqaRS46jX7k2E1AIvcGdqwHjW0V/exgk+oraBa8m2kPU0t8:86n0EcqS5X7OiIUNwD3eh+fBu2uU0t8

Score
10/10
banloadvidar2d607fa287d60e8ad23c103ccc60d6b0downloaderdropperevasionpersistencestealertrojan

Malware Config

Extracted

Family

vidar

Botnet

2d607fa287d60e8ad23c103ccc60d6b0

C2

https://hypaton.xyz

https://steamcommunity.com/profiles/76561199677575543

https://t.me/snsb82
Attributes
  • profile_id_v2

    2d607fa287d60e8ad23c103ccc60d6b0

  • user_agent

    Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6

Targets

    • Target

      @!#SETUP_FILE_2024_PASSCODE_$.rar

    • Size

      23.5MB

    • MD5

      7611e93930a3ebfc3144343b30cd9dcd

    • SHA1

      2fcfefd406cfbade85a6e58aa06442bd925aeb5d

    • SHA256

      e8b27d9776228fec69909096f712fcbf90cd8a335394e3791ac3be7cb37b3556

    • SHA512

      93240b34e717a3c93d1ca7bdb25c7bbfc3bb5969c09c6dacc1dcb6b1e92577da311e006442ce1a5d28c99625abafa666a76b33b4f80f9195669d2702dc7d3673

    • SSDEEP

      393216:FK6+W0Ec0JqaRS46jX7k2E1AIvcGdqwHjW0V/exgk+oraBa8m2kPU0t8:86n0EcqS5X7OiIUNwD3eh+fBu2uU0t8

    Score
    3/10
    behavioral1

    • Target

      Setup.exe

    • Size

      8.5MB

    • MD5

      98169506fec94c2b12ba9930ad704515

    • SHA1

      bce662a9fb94551f648ba2d7e29659957fd6a428

    • SHA256

      9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

    • SHA512

      7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

    • SSDEEP

      196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK

    Score
    10/10
    banloadvidar2d607fa287d60e8ad23c103ccc60d6b0downloaderdropperevasionpersistencestealertrojan

    • Banload

      Banload variants download malicious files, then install and execute the files.

      trojandropperdownloaderbanload

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks