General
-
Target
virus.zip
-
Size
68.2MB
-
Sample
240806-xaeakawhjq
-
MD5
3dccdaa76d7b98b7311d282df2a365f7
-
SHA1
15c32ef66eea8b26e34bb1aae291e84a9bb91170
-
SHA256
056e9d3c6051fac9a3312728d260c7cb73c63c87da475baeb8453cbcc7c69b5b
-
SHA512
d221ff8cbcf586b49aaec9475a397036f932770dc629c0645b2a30c3d3a72463bcbb7b0205aa4f57d2c20feb5eaee86511d2b2a5cb8580a23393797b0da626b1
-
SSDEEP
1572864:tbmO384gMWCJpwHA8EO2wLNZJ+V/wnMBxCvi38Cwk3f6Y6:sO3HZvwCO2wLNZm/wnHiMa3l6
Malware Config
Extracted
vidar
http://46.226.160.169:80
https://t.me/kooiliiuus
https://t.me/vooliiks
https://steamcommunity.com/profiles/76561199747278259
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
Targets
-
-
Target
virus/About/IA2Marshal.dll
-
Size
77KB
-
MD5
31fcd15b9a06ac591b130921b0b006c8
-
SHA1
81a485e90a33ced93033ae9a4e079639bb283a31
-
SHA256
70db8976911089b12d584faa1bc48cbbccffa8e79afc70273cc4a8352a0dc615
-
SHA512
1125e34a0270af7135040e2ab44a5ca749a230ad34bc23b60f3ac529579a21b4d72bf0cf574352469b97c66515cf2d2792e43ab29d9888131053be34d3a37249
-
SSDEEP
768:67afxi7heDjJNhM1cUPKRK8MJL6cgNkBewiLW3WwKWeV:yw5DFNhMGUPKRK8MJGhG/iLay
Score1/10 -
-
-
Target
virus/About/qtmultimedia_m3u.dll
-
Size
33KB
-
MD5
e5edd622c8db0f7caca1fc1bd58a0c48
-
SHA1
1f1ff78d2eae799e2abf06252265600eab3f4551
-
SHA256
dae45e4b553bdb471bb97b75060829d78f98dd824ebd765ceb9347af7697addc
-
SHA512
e8f9be815ab30a158dbd050085e1418307ef86f0cfdf8833afdde44c52fca66d7ad452e159d1cf3cb96ca32ee60c639998a6eea6d1933f6a34f06b41a5d99710
-
SSDEEP
768:sCV1YEh1QGs52809gKO0aiZnVbZnkN2661tq:sCVCEh1QGs5m9gKOonP66u
Score3/10 -
-
-
Target
virus/Files/Sourse2/qtmultimedia_m3u.dll
-
Size
33KB
-
MD5
e5edd622c8db0f7caca1fc1bd58a0c48
-
SHA1
1f1ff78d2eae799e2abf06252265600eab3f4551
-
SHA256
dae45e4b553bdb471bb97b75060829d78f98dd824ebd765ceb9347af7697addc
-
SHA512
e8f9be815ab30a158dbd050085e1418307ef86f0cfdf8833afdde44c52fca66d7ad452e159d1cf3cb96ca32ee60c639998a6eea6d1933f6a34f06b41a5d99710
-
SSDEEP
768:sCV1YEh1QGs52809gKO0aiZnVbZnkN2661tq:sCVCEh1QGs5m9gKOonP66u
Score3/10 -
-
-
Target
virus/Setup.exe
-
Size
693.1MB
-
MD5
01ab745aa7f4a530b4f3146dcb60ff4b
-
SHA1
39ff04624c5b47a3af6abe638151ed7fdd55def1
-
SHA256
d1cbd311fc4c3fb88682cbd37f6904a35f7133074b7990a4eea6cdfff5414a1e
-
SHA512
76494dc91475e1ab9ea54a8131e8dea61cf0cb7530593e19fae6805077479209a2631fea500a9151473ba4e674797ee627151f9aca4a48f95f1c4a8f3d7cb47b
-
SSDEEP
393216:m3Mc7el0z16ExHVojm9U3NkhwYkwrYTx2xztNaSyc:wMcqaR6Vjm9MWprMTgL
Score10/10-
Detect Vidar Stealer
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4