General
-
Target
vidar0907.exe
-
Size
442KB
-
Sample
240711-pl3hjawdmp
-
MD5
0b4cc01ce62da8ed72b98a896c11c1dd
-
SHA1
eb87a11df4f7a0066389094ee9ba8a4e189794ad
-
SHA256
6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc
-
SHA512
b24fb55140210cc3c8d5f2dec84f36314a93397351a7109701b05dcb47cfbaf437c74fcafb551d8a96e845ea656a5c618b4a229c6acba8c2d0ed3849ccc48b8d
-
SSDEEP
12288:IQ1qvYI8j6BYDbqP/UJHQDvt81YNMKBOqIcruB:IQqvYTq+KhD18mhu3
Static task
static1
Behavioral task
behavioral1
Sample
vidar0907.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
vidar0907.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
vidar
https://steamcommunity.com/profiles/76561199735694209
https://t.me/puffclou
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1
Extracted
lumma
https://stationacutwo.shop/api
https://bouncedgowp.shop/api
https://bannngwko.shop/api
https://bargainnykwo.shop/api
https://affecthorsedpo.shop/api
https://radiationnopp.shop/api
https://answerrsdo.shop/api
https://publicitttyps.shop/api
https://benchillppwo.shop/api
https://reinforcedirectorywd.shop/api
Targets
-
-
Target
vidar0907.exe
-
Size
442KB
-
MD5
0b4cc01ce62da8ed72b98a896c11c1dd
-
SHA1
eb87a11df4f7a0066389094ee9ba8a4e189794ad
-
SHA256
6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc
-
SHA512
b24fb55140210cc3c8d5f2dec84f36314a93397351a7109701b05dcb47cfbaf437c74fcafb551d8a96e845ea656a5c618b4a229c6acba8c2d0ed3849ccc48b8d
-
SSDEEP
12288:IQ1qvYI8j6BYDbqP/UJHQDvt81YNMKBOqIcruB:IQqvYTq+KhD18mhu3
-
Detect Vidar Stealer
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-