General

  • Target

    file.ZIP

  • Size

    15.3MB

  • Sample

    240628-skftxsvfjb

  • MD5

    dcb4c2bfc6247acb9d5363616746d970

  • SHA1

    772b0dc3e99ba3ad09149b0459a342aa87f56cf9

  • SHA256

    83d63b96073af07804a73c76da2241a8cfc2fa8bb01fd0a82bdc2a10ba7d2964

  • SHA512

    3d07317d5baba36d50e69fdb88d2f497c4ac87adbb70d787fd1256a0065f055eeb90e3741ef9876d72ec9bcbe423006a34adad764b7cabfc4d55c1dda8e40c94

  • SSDEEP

    393216:D1nD9nDUpm6GBq8GT/TC8DAVvh6nMONoOhM3Qzf38zV:D1JR+/+8DAVvh6XvhJfu

Malware Config

Extracted

Family

vidar

C2

https://t.me/g067n

https://steamcommunity.com/profiles/76561199707802586

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0

Targets

    • Target

      Setup.exe

    • Size

      675.6MB

    • MD5

      acc3282f8baa586c256c7c1b6ff4522c

    • SHA1

      463d8ed383ad2a36a9df93dfefa493a2a95f4445

    • SHA256

      2d4a3b606626c54ef71e06abab01fb69a3ff26e8c7d5322c12511e5d8bd52dc4

    • SHA512

      e9e7321bde05e5e0f882bdd99695990dae509c24a168f017f8b83b332d350d8662e81bc380cae64730d9eeb6bccbd6a2c2a6a6aedace7a51483b4251a49ca2ed

    • SSDEEP

      196608:i0bq45mmYPrOLaxhWJVXdgvY23Jj/W5PCtLwFRpeZApj6bZy3yIhoR0LrLBsyyS3:bbq4o3jOLaSbKY2N/6CNyRp9j6bI

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks