General

  • Target

    Setup.zip

  • Size

    14.4MB

  • Sample

    240628-sybr5ayckn

  • MD5

    b46a5a69182489de8e5e68e4716fd3d4

  • SHA1

    b97a052a5828080b3ce0c148983289ea2a28891b

  • SHA256

    44b0511ca68363333e3e0dd4ea4bc6394ec4db23ad353fe9922e1d9de3a583df

  • SHA512

    f89b30558e3c0880f82a244d0a914b53db8ba8ed3d6dc6c9aa32e4922504ac7292acb9ad9a5b2263e82c4f176f0f04ed19b2a49e789b6e0c2e2e8e2ce0ca83f7

  • SSDEEP

    393216:Bk4aC47BFlUf6BRmDFOn/qN+4is49hflp0GV6n1he:WdC077qN+4Dmd6GEe

Malware Config

Extracted

Family

vidar

C2

https://t.me/g067n

https://steamcommunity.com/profiles/76561199707802586

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0

Targets

    • Target

      Setup.exe

    • Size

      675.4MB

    • MD5

      14cf56e3094e94a6bcd9f1b18c2e9726

    • SHA1

      b4d6a5f8f6cc0429c02d5b9d0be1e29172010d3c

    • SHA256

      e42c58c29931bee78061436503afbbef40e74c43da2c6291e0e09213add1c5e6

    • SHA512

      122f873501c376615139f7387c33cc533b83af4555f92fe0c09fcca837fdc1f3af2a3659f44c037748b06c613d014160304cf487eb68c154086f0d3749292e65

    • SSDEEP

      196608:L0bq45mmYPrOLaxhyEjILWjDLGfCYZmJu9JgU04IcW7fIxOntw93/sDF1kIQyXjX:obq4o3jOLaXILWfSbg

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks