General
-
Target
ec86bd905bd5524841fccc2c895e99d587ddeeced4ffa439d962e05e77c02e2b.exe
-
Size
908KB
-
Sample
240709-cwgmlatfpc
-
MD5
bf74f5b3149cb45d8a0efdfeaca50c98
-
SHA1
0bfe3661e7821586fbe8e569ffc48fa1a71d995d
-
SHA256
ec86bd905bd5524841fccc2c895e99d587ddeeced4ffa439d962e05e77c02e2b
-
SHA512
7ed7068b0816c547f45acf634f77377703d16ce183f488579e55a4d070d6d00bd0b337d12fc92457ba58fd66a2bfa744ad7e43af77e03361654746a979c1c31a
-
SSDEEP
24576:Am9C2jncX0aBNt11yY65swIcU5KDoM1m96siDDyQQNDZ:oWOD18Y6WwIN5YI6xDyJDZ
Malware Config
Extracted
vidar
https://t.me/bu77un
https://steamcommunity.com/profiles/76561199730044335
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1
Targets
-
-
Target
ec86bd905bd5524841fccc2c895e99d587ddeeced4ffa439d962e05e77c02e2b.exe
-
Size
908KB
-
MD5
bf74f5b3149cb45d8a0efdfeaca50c98
-
SHA1
0bfe3661e7821586fbe8e569ffc48fa1a71d995d
-
SHA256
ec86bd905bd5524841fccc2c895e99d587ddeeced4ffa439d962e05e77c02e2b
-
SHA512
7ed7068b0816c547f45acf634f77377703d16ce183f488579e55a4d070d6d00bd0b337d12fc92457ba58fd66a2bfa744ad7e43af77e03361654746a979c1c31a
-
SSDEEP
24576:Am9C2jncX0aBNt11yY65swIcU5KDoM1m96siDDyQQNDZ:oWOD18Y6WwIN5YI6xDyJDZ
Score10/10-
Detect Vidar Stealer
-
Stealc
Stealc is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-