Extracted

• • Target

    05f13d8e64e219b971189c97ef7ebec20ff1b5f9858bb88db814c62b4540f751.exe

  • Size

    394KB

  • MD5

    e4681cf87d9e2a0dd09ff6e02fe79eb6

  • SHA1

    73c19d284b9358e694c1d686cb906b01518641a1

  • SHA256

    05f13d8e64e219b971189c97ef7ebec20ff1b5f9858bb88db814c62b4540f751

  • SHA512

    962686efb51ce376a75d939a2a351979967cbf5d364794feaba16642e6e463c63b5551635fe31eb4bd8be7fcc7940a9c1395cd80606f1349ad5e389e02a4ee0d

  • SSDEEP

    6144:exHv9xQGoaKiDWM6iKwxnKfrfrhCA5PK8W9VFpmuXj8WtlcaZOc:exHHJ961UnK02PKnV+uXj88caZ

  Score

  10^/10

  vidard80be45a1eb6454ca916f92c36ebf67dcredential_accessdiscoverypersistencespywarestealer

  • Detect Vidar Stealer

    stealer

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2