Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c7f39760d17bd7c8c08ca2cc7c88e825526b5149c80543dbedacc052fa9ea479

  • Size

    411KB

  • Sample

    240923-ftz8psxbnm

  • MD5

    9bcf6be0b4b8eff680b0d8539237a496

  • SHA1

    d4f023de60407bbf80512a76339b14ef01060439

  • SHA256

    c7f39760d17bd7c8c08ca2cc7c88e825526b5149c80543dbedacc052fa9ea479

  • SHA512

    f0b3a552a6482135cc3b9d8872b93201bfc11f89d544aa29779dfd6a45a6e60d05316b3d0550e989bbe7ed2819d0e59e31fa71976f08ea0a681e0d2626a1b48d

  • SSDEEP

    6144:PVDE42g2K7jOz5rVp+9Mphcr4vP9UXVFwzwbnaTDW+QSOBiQglLEO:JE5g37u5rVLhvUFKz+CDWV5uEO

Score
10/10
vidardea7c01007a657ba0c601c941632f140credential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

Version

11

Botnet

dea7c01007a657ba0c601c941632f140

C2

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Targets

    • Target

      c7f39760d17bd7c8c08ca2cc7c88e825526b5149c80543dbedacc052fa9ea479

    • Size

      411KB

    • MD5

      9bcf6be0b4b8eff680b0d8539237a496

    • SHA1

      d4f023de60407bbf80512a76339b14ef01060439

    • SHA256

      c7f39760d17bd7c8c08ca2cc7c88e825526b5149c80543dbedacc052fa9ea479

    • SHA512

      f0b3a552a6482135cc3b9d8872b93201bfc11f89d544aa29779dfd6a45a6e60d05316b3d0550e989bbe7ed2819d0e59e31fa71976f08ea0a681e0d2626a1b48d

    • SSDEEP

      6144:PVDE42g2K7jOz5rVp+9Mphcr4vP9UXVFwzwbnaTDW+QSOBiQglLEO:JE5g37u5rVLhvUFKz+CDWV5uEO

    Score
    10/10
    vidardea7c01007a657ba0c601c941632f140credential_accessdiscoveryspywarestealer

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks