Overview

overview

10

Static

static

6

a.exe

windows10-2004-x64

10

a.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.zip

  • Size

    40.0MB

  • Sample

    240929-s82fjatdlh

  • MD5

    ff178b67e372981598390898880ba9b0

  • SHA1

    790568c86a890853177f9bb40978149cec8ce6e2

  • SHA256

    ceea0457f178b5e19d8ef1aa7c7f7b5ce5e3fcc7f48b0f1ac5da39ba290819dc

  • SHA512

    e9203bad3b5251b99b8f249ad6973116b2d37dbc6f80666707b56f30d5ba6d1ea49ecd08c1e4b84f4376770840e195915e82920b2c0f58aeea765c48d1716284

  • SSDEEP

    786432:WXNBctmUJUcGRdzVV6YnSFdWDxkjvyVzRBUPtFADd0QX6pytIgmSHvifm2Fpc96i:WXNWtKc8zVVUsxwvyiPtFI4pytIVSKNu

Score
10/10
vidarda1105e7cee8ade4acd1a4dc0b47dbbecredential_accessdiscoveryevasionpdfpersistencespywarestealer

Malware Config

Extracted

Family

vidar

Version

11

Botnet

da1105e7cee8ade4acd1a4dc0b47dbbe

C2

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Targets

    • Target

      a.exe

    • Size

      6.1MB

    • MD5

      4864a55cff27f686023456a22371e790

    • SHA1

      6ed30c0371fe167d38411bfa6d720fcdcacc4f4c

    • SHA256

      08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2

    • SHA512

      4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb

    • SSDEEP

      98304:VZQIM+/nv/CDoAkYwpAa5ge1zZ/jtdZwUkQ:bJCKlA2VKUz

    Score
    10/10
    vidarda1105e7cee8ade4acd1a4dc0b47dbbecredential_accessdiscoverypersistencespywarestealer

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks