General
-
Target
036fc1946493ce413024f5b8094bddc99f2a22e0e31ff93b63015b020cbff0e6.exe
-
Size
401KB
-
Sample
240921-bc1exsxepf
-
MD5
6b082832f014548bf1703ddaed1e16b9
-
SHA1
93d4d923d2dc2869e7aeb8cf919490087113b838
-
SHA256
036fc1946493ce413024f5b8094bddc99f2a22e0e31ff93b63015b020cbff0e6
-
SHA512
fe48b376be766314b000fa557e4e3dac013b8cc8e82637df3fc9f442dd2f858998f894232fecd65e6e3baf0d2e1bb423c1a8515cda7a870c3baec77d207f4936
-
SSDEEP
12288:0K1t63MtALzhRqhiBsr8MxYXX9J56TWdgM9FlX:0K1t68tALzm6/MxsXwWdV
Static task
static1
Behavioral task
behavioral1
Sample
036fc1946493ce413024f5b8094bddc99f2a22e0e31ff93b63015b020cbff0e6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
036fc1946493ce413024f5b8094bddc99f2a22e0e31ff93b63015b020cbff0e6.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
vidar
11
dea7c01007a657ba0c601c941632f140
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
lumma
https://questionmwq.shop/api
Targets
-
-
Target
036fc1946493ce413024f5b8094bddc99f2a22e0e31ff93b63015b020cbff0e6.exe
-
Size
401KB
-
MD5
6b082832f014548bf1703ddaed1e16b9
-
SHA1
93d4d923d2dc2869e7aeb8cf919490087113b838
-
SHA256
036fc1946493ce413024f5b8094bddc99f2a22e0e31ff93b63015b020cbff0e6
-
SHA512
fe48b376be766314b000fa557e4e3dac013b8cc8e82637df3fc9f442dd2f858998f894232fecd65e6e3baf0d2e1bb423c1a8515cda7a870c3baec77d207f4936
-
SSDEEP
12288:0K1t63MtALzhRqhiBsr8MxYXX9J56TWdgM9FlX:0K1t68tALzm6/MxsXwWdV
-
Detect Vidar Stealer
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4