Overview

overview

10

Static

static

3

1d50b6e42d...1d.exe

windows7-x64

10

1d50b6e42d...1d.exe

windows10-2004-x64

10

Organisati...ve.ps1

windows7-x64

3

Organisati...ve.ps1

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe

  • Size

    4.1MB

  • Sample

    240926-xg9p2ssdjr

  • MD5

    4f3ddd6692d604ecf2bd37d93d0f2387

  • SHA1

    78a00b190d88eaf514b5bf2af754681795de9e44

  • SHA256

    1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d

  • SHA512

    2e1720baf9ad49781d224ac23ebe25aae6073465e7e962bde9759941373ec0109176be8d7a1693b0196b6ac1912d84b96422b2758e2e3143dec76de1154f4153

  • SSDEEP

    98304:9BkNhx7tr/K0pB+km2inP8I0zJDd0TfuBUR8/Rg:9BkNVbiP8fDd0yBUy/q

Score
10/10
vidar8804a4f27e22750a8baa49e881ddca35credential_accessdiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

vidar

Version

11

Botnet

8804a4f27e22750a8baa49e881ddca35

C2

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Targets

    • Target

      1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe

    • Size

      4.1MB

    • MD5

      4f3ddd6692d604ecf2bd37d93d0f2387

    • SHA1

      78a00b190d88eaf514b5bf2af754681795de9e44

    • SHA256

      1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d

    • SHA512

      2e1720baf9ad49781d224ac23ebe25aae6073465e7e962bde9759941373ec0109176be8d7a1693b0196b6ac1912d84b96422b2758e2e3143dec76de1154f4153

    • SSDEEP

      98304:9BkNhx7tr/K0pB+km2inP8I0zJDd0TfuBUR8/Rg:9BkNVbiP8fDd0yBUy/q

    Score
    10/10
    vidar8804a4f27e22750a8baa49e881ddca35credential_accessdiscoveryspywarestealer

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      OrganisationEstates/Innovative

    • Size

      96KB

    • MD5

      e1a9c4a5a6d13e85dad6cd2b38aa6f89

    • SHA1

      dfb507e4c1f636c6dd1f4e5c0758a417a6552346

    • SHA256

      285b0808ef9df43736f0c85c276e0e8415c7fad3c5f4b0bc2d25377ecbd1ffef

    • SHA512

      a524bcd6ba32ab3d7040254b9f341c5fe30e64c606300aab1cc5b0c1604647e09b20f1b344d63c32a4e2a022786e8cbc1e34e9538a1cac62bea58c69c11a0696

    • SSDEEP

      1536:r1iEGFARVwMdOVdeV9YYHYvdO+hNHUnB3x10rHbn3YzUqvngafxwI+7UVz1:r6ARVRV9YY4v1KnBLKn3wUqvBZtz1

    Score
    3/10
    execution
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks