vidar | 069a6d59d935c55e08ab7bf53f704c779a58c3232009af14fd0ef0d2313ffcc4 | Triage

Sharing

General

Target

069a6d59d935c55e08ab7bf53f704c779a58c3232009af14fd0ef0d2313ffcc4.zip
Size

7.8MB
Sample

240803-bdpd2ssblf
MD5

f655bcd5da27f811881187e398341d72
SHA1

f889cdadd8e48de004d1c8e60335c8c8810f9ead
SHA256

069a6d59d935c55e08ab7bf53f704c779a58c3232009af14fd0ef0d2313ffcc4
SHA512

35744b380fad5e2595d346b6dad8bf182e0a4380c5802d491a026209c2e18ccc2cc9ed431f28e13f6c2a5e1df3c1fed14493298880d2d8926dd8066dcbe71143
SSDEEP

196608:KYy7PTX8TCwqxH7xAxMXx6+8QmhzHS5b0SVLEhikHGRnPNta:KFX8TcxbxsMXxGZhzyZ00QwkH6Pra

Score

10^/10

vidar credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199747278259

https://t.me/armad2a

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36

Targets

- Target
  
  theoryspecializedpro/theoryspecializedpro.exe
- Size
  
  7.9MB
- MD5
  
  680af4923dc7b8ce1c06516ce06d17d3
- SHA1
  
  1487fcbdae76e1ebb5d55b9f76692959dd2cd5a6
- SHA256
  
  6ae6030e6222a1400ce938e2ad2086253f1ff6d9d07b0be35fee6853e87bedc6
- SHA512
  
  e8b7cb2e6e791716159ed7906d3f0e0972a8a1b58a2ce46781adf5f45da3fdfc88b782153a3bde15719b25d489a2f12266d23f20a25b956e3dbf9ea7f95a67f0
- SSDEEP
  
  196608:R6q51jd2HCwufvfbc7Mh7gOwQc5zlSJp0IV3DtBmS1aj9lF9q:RBd2HgfXbqMh7Ux5zgb0KRkS1YHj
Score

10^/10

vidar credential_access discovery persistence spyware stealer
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vidarcredential_accessdiscoverypersistencespywarestealer