General
-
Target
66bddfcb52736_vidar.bin.zip
-
Size
187KB
-
Sample
240817-v94y6a1cqp
-
MD5
a284b21c1e928fe4ede4ddbeddfcd391
-
SHA1
d5260a53b780a6308c639d2b89116ef5bbe992d7
-
SHA256
8b34e6283a4e30009a0ad792723817cfb0d5cdbbbe119948aa6e887bd59e1620
-
SHA512
64ee76b87be812c3c82c5716cd3d7c7065c0522fdbd774b1d745d67ab69a2299df3dd9d52e150188b860c9220435658fb3140f7317ad59a3fac76f864337203a
-
SSDEEP
3072:6NaGrsZYYgA7AaNGNjF1kTWWdNYArOLE99nkVHr/8J9bykSEN2vvBhat0658GZqa:GSuYvfN+4TZNYAKLGaHb09q0eBIO658W
Static task
static1
Behavioral task
behavioral1
Sample
66bddfcb52736_vidar.exe
Resource
win7-20240704-en
Malware Config
Extracted
vidar
https://steamcommunity.com/profiles/76561199751190313
https://t.me/pech0nk
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Extracted
lumma
https://consciousourwi.shop/api
https://potentioallykeos.shop/api
https://interactiedovspm.shop/api
https://charecteristicdxp.shop/api
https://cagedwifedsozm.shop/api
https://deicedosmzj.shop/api
https://southedhiscuso.shop/api
https://weiggheticulop.shop/api
https://tenntysjuxmz.shop/api
Targets
-
-
Target
66bddfcb52736_vidar.bin
-
Size
190KB
-
MD5
fedb687ed23f77925b35623027f799bb
-
SHA1
7f27d0290ecc2c81bf2b2d0fa1026f54fd687c81
-
SHA256
325396d5ffca8546730b9a56c2d0ed99238d48b5e1c3c49e7d027505ea13b8d1
-
SHA512
6d1fa39560f4d7ca57905bc57d615acf96b1ef69ca2a4d7c0353278e8d4466298ed87f514463c49d671cb0e3b6a269a78636a10a1e463dba5c83fe067dc5df18
-
SSDEEP
3072:XqsEJybpRHuJKKBardRei4UGvI96/ZO6RAkeOCeP9sZy28se:XqsMyNRHuKikUi42KZO6PffmZy2d
-
Detect Vidar Stealer
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4