General
-
Target
6f70feca23db40bc38ee96e342114a34c9391b156f0af2f37bd691c155aee845
-
Size
2.0MB
-
Sample
240527-3jewcaeb3y
-
MD5
d73f74414a8901e5fe110c33426984b6
-
SHA1
3c3dee0d190b1418cc5037da53064772879d4f63
-
SHA256
6f70feca23db40bc38ee96e342114a34c9391b156f0af2f37bd691c155aee845
-
SHA512
cecabc1a921331b71b04f1b13748d005585508d935ed379ed0dcfa136267b71725f4b5e5adbad8407f51496f22613de01bae2c3942afd34b4ed4ff5a5cb8eb14
-
SSDEEP
49152:OePpQEtJtTF+TxMoxc1TU+j+dAzGwlrh:OePpQEttIuoITsdZ
Static task
static1
Behavioral task
behavioral1
Sample
6f70feca23db40bc38ee96e342114a34c9391b156f0af2f37bd691c155aee845.exe
Resource
win7-20231129-en
Malware Config
Extracted
stealc
Extracted
vidar
https://steamcommunity.com/profiles/76561199689717899
https://t.me/copterwin
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Targets
-
-
Target
6f70feca23db40bc38ee96e342114a34c9391b156f0af2f37bd691c155aee845
-
Size
2.0MB
-
MD5
d73f74414a8901e5fe110c33426984b6
-
SHA1
3c3dee0d190b1418cc5037da53064772879d4f63
-
SHA256
6f70feca23db40bc38ee96e342114a34c9391b156f0af2f37bd691c155aee845
-
SHA512
cecabc1a921331b71b04f1b13748d005585508d935ed379ed0dcfa136267b71725f4b5e5adbad8407f51496f22613de01bae2c3942afd34b4ed4ff5a5cb8eb14
-
SSDEEP
49152:OePpQEtJtTF+TxMoxc1TU+j+dAzGwlrh:OePpQEttIuoITsdZ
-
Detect Vidar Stealer
-
Detect binaries embedding considerable number of MFA browser extension IDs.
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables containing potential Windows Defender anti-emulation checks
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-