Overview

overview

10

Static

static

6

W2.pdf

windows7-x64

3

W2.pdf

windows10-2004-x64

3

a.exe

windows7-x64

10

a.exe

windows10-2004-x64

10

msimg32.dll

windows7-x64

3

msimg32.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.zip

  • Size

    40.0MB

  • Sample

    240930-ams8xsxfkl

  • MD5

    ff178b67e372981598390898880ba9b0

  • SHA1

    790568c86a890853177f9bb40978149cec8ce6e2

  • SHA256

    ceea0457f178b5e19d8ef1aa7c7f7b5ce5e3fcc7f48b0f1ac5da39ba290819dc

  • SHA512

    e9203bad3b5251b99b8f249ad6973116b2d37dbc6f80666707b56f30d5ba6d1ea49ecd08c1e4b84f4376770840e195915e82920b2c0f58aeea765c48d1716284

  • SSDEEP

    786432:WXNBctmUJUcGRdzVV6YnSFdWDxkjvyVzRBUPtFADd0QX6pytIgmSHvifm2Fpc96i:WXNWtKc8zVVUsxwvyiPtFI4pytIVSKNu

Score
10/10
vidarda1105e7cee8ade4acd1a4dc0b47dbbecredential_accessdiscoveryevasionpdfpersistencespywarestealer

Malware Config

Extracted

Family

vidar

Version

11

Botnet

da1105e7cee8ade4acd1a4dc0b47dbbe

C2

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Targets

    • Target

      W2

    • Size

      36.1MB

    • MD5

      28ed3744e67812936a005adfb9f029a4

    • SHA1

      3a725d65fdc9d24638c2a673f0fdaf74f26d3b47

    • SHA256

      a8c302a0e636b865a1452db668d9d8a5154f3634923aa06e23469d81d7e6c410

    • SHA512

      972c561f58018162dd1560de16bca63666a91879648b609f7acc754ec6a25ab62ac2161c553a33aacb7141211ca7f2b76d11e7b5a63471bf8c40516c54245b48

    • SSDEEP

      786432:94rbnl4Qbn+40bny4Rbn04ubng4dbnB4sbnn4rbnh4nbnH47:94/l4G+4ay4d048g4pB4Cn4/h4bH47

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      a.exe

    • Size

      6.1MB

    • MD5

      4864a55cff27f686023456a22371e790

    • SHA1

      6ed30c0371fe167d38411bfa6d720fcdcacc4f4c

    • SHA256

      08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2

    • SHA512

      4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb

    • SSDEEP

      98304:VZQIM+/nv/CDoAkYwpAa5ge1zZ/jtdZwUkQ:bJCKlA2VKUz

    Score
    10/10
    vidarda1105e7cee8ade4acd1a4dc0b47dbbecredential_accessdiscoverypersistencespywarestealer

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral3behavioral4

    • Target

      msimg32.dll

    • Size

      3.9MB

    • MD5

      5ffd78650614bc118ea029b086dffb3e

    • SHA1

      d552cfbc15052f609e23a9613866d5462a4318a3

    • SHA256

      c8bdff3366a5e82f090d54dee45a507c53caf619ab5285efccb0d5c69041b381

    • SHA512

      451f97fceb1127a37f064d86584ce0a81d47fcac3c4dd64eca3cf60a50437b29e1a6a7de5513f3dff72a96bfcf2a5f548751470b80c7ad34ada07fd0f43f864d

    • SSDEEP

      49152:Ptw8A/gVIBl8X3t6evYC/2NESehSE3TQaC+1RDYBylTTt4eri:xwA/SNVwSE30ajvI6TpE

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Exfiltration

Impact

Tasks