vidar

Sharing

Copy URL

Twitter E-mail

General

Target

Unlock_Tool_2.3.zip
Size

26.2MB
Sample

241016-27kaasycpe
MD5

7ac1b1e4026b2f847e283de1a149da04
SHA1

a7e1dcc1d1386094b17271181519ff94943f17b4
SHA256

6a47bed443d129fb6c3661b64547971090889b7c1a8fdf8d27bd804d5f5dd1d8
SHA512

6f340809c0de7c1a21ef0449ed945f8b0ddcfc4dde19d586c9d6c8119cebcf22022dbd106337b21b9cc86ceaa4108b9cf0dab9891165a3475d08285e5e2c3d85
SSDEEP

786432:jYbolarHLcezVOkmJybtLe35N7X+f4kPA4:MRjLXOIRGN1i/

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

11.1

Botnet

23a142269e47ce1692ccc9fb68473bc2

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Targets

- Target
  
  LICENSE.html
- Size
  
  6.3MB
- MD5
  
  6e638956244aaded2c92b77f9d421a81
- SHA1
  
  f5269556b6fe04cfca5a1da21af718641708a666
- SHA256
  
  652457f1b5ec60a81c8aff095366bcc068402c21eb380ba8286366bc4e9a029e
- SHA512
  
  f0e173761a6acd13b6c1b5eb896c361487a770a54f1842ffaa80c8ff780b37a1e801169786776c4afa7d9c75cd968dbaddabff082de55cf75cc4f9d871d08bc1
- SSDEEP
  
  24576:nPVZ5W5WS95zHIlGMmfu626s6W6a6q5AHOeQDph:SMn
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  Unlock_Tool_2.3.exe
- Size
  
  1.5MB
- MD5
  
  875d0ab4d446da201127377ef3756d5e
- SHA1
  
  45cdad2ed72f5d4956d13ffcee2002caabc68625
- SHA256
  
  5067e33aee627b233fccbfa9516fdb2bb96216694a606986f986add251a856fd
- SHA512
  
  4ee704b5cc1cf693a511ca555de476ec76fa39b9993fbde102545a390e91ae286c57f7c4cd717b56748a1549e1c28c5e7cfde994f61dac0b762b832fed4d769e
- SSDEEP
  
  12288:1hzfw9F+PLs7BYQtUq6xGfMD/lienK07szdiNb4uhYUsZNYHjuO83IEO:Lw9FOYBYQ6xG0TI4QO4uhNSNYDu/4t
Score

10^/10

vidar 23a142269e47ce1692ccc9fb68473bc2 credential_access discovery spyware stealer
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  lesseeVariant/modules.dll
- Size
  
  907KB
- MD5
  
  dc05f0b8f1a32e872721d3486e6332b8
- SHA1
  
  dbf055b0f934640fadcfaa93971fead8df7a3869
- SHA256
  
  37ec5f998a5c376d4fcd4342b43a4163d1f043e0f7711e46677cd30013882723
- SHA512
  
  0f89d713237ef11a1ef8d824ad9767bb13fb4f5f334acdd65af0ba6e54cec4a910398636683254b3fe4d46a069a1781187313684ff827a907b8b968134f6efa0
- SSDEEP
  
  24576:z0OY4ZFajHYDTR2yfVbf+c6Z5WODYsHh6g3P0zAk75:z0CZFaj4HR2yfVbd6Z5WODYsHh6g3P03
Score

1^/10
behavioral5 behavioral6
- Target
  
  locales/resources/app.asar.unpacked/keytar.node
- Size
  
  691KB
- MD5
  
  c5c99144e2e1589628e14999ba59ad73
- SHA1
  
  9c80f8de6b5cdaf38677d5368b5287bacb9e465a
- SHA256
  
  90e35de89ab5e5f9290e4ff1bbadcf221a82b2aa0d9b922187dc980adff3c831
- SHA512
  
  0bcb99953397c6604d8e08bf2ba89248ee82f92436c2dcc779157b65227b0e1350927273a1b6d150a9db914d0a8830680df05ef651ee291b40657a3025a721c5
- SSDEEP
  
  12288:cRInDhSzUpqDDa2XX05VNpk4th460iQlp1Qk5wUFPcvKKR0JQQ8jKOx8:cOnDHpqnaskrdx
Score

1^/10
behavioral7 behavioral8
- Target
  
  locales/resources/app.asar.unpacked/native/tvdbridge.node
- Size
  
  296KB
- MD5
  
  e5526203a1a46494f6940c755189321a
- SHA1
  
  fe8995c525a41c38ddfadcce065bd5a4f9d6a9cd
- SHA256
  
  d849a98540c05e1d0e770bc7d72a5d88213430745acf7aec8ecc246e042d0aad
- SHA512
  
  033fa4ba21d8086e516deddac9d25aaa4180b4c341ceb05c1ef9f86a790ebf22a4ee4eb9505da6703cd4309cee1e6be76dbdf4870f0c4d398bababde9facf899
- SSDEEP
  
  6144:0MYYj6PQEzvJhuQlVvR+biOSvX3wa5zedaPqhUrYOv:uYj6PbzRhflVZ+dg395zedaPEe
Score

1^/10
behavioral10 behavioral9
- Target
  
  locales/resources/mkl_sequential.1.dll
- Size
  
  24.4MB
- MD5
  
  dc669a38669daa5f86ee691ab76f256a
- SHA1
  
  d096b0e62e2cd804d1cdfc1cee97cfd88c6f3526
- SHA256
  
  14d2183e60955af7844004fd394c38667a627804eebd23f88d8b2916803c0191
- SHA512
  
  7c0fb218cc5403d25f0a50e500ed2cd5c1a2c95a6538edae366ec8e6dae2d6fcee0a047cb1c1f4b382630cf06d9f9aa140a7c37c7d6bc30008bfa5a03544f834
- SSDEEP
  
  786432:jAjbotve5/l6Qofwx/xGHfHr9kmk5D0EnnP+IobqgGzt:jAjbotve5/l6Qofwx/xGHfHr9kmk5D0O
Score

1^/10
behavioral11 behavioral12
- Target
  
  locales/x86/ACE.dll
- Size
  
  1.1MB
- MD5
  
  d0ae82cdf9911bec3eddda128602af04
- SHA1
  
  58e167521f2b028d03aeb6c926d34c2c969fa9c6
- SHA256
  
  f9675304d13efaee32e6b4a3317b64231a59b684532a898d12b4e7ed88518afd
- SHA512
  
  c1520462a8e02ab09e2a101207e88cf6861b48c32b7c2523047251496479740a84987fb19aba4dc8610abe2c81e5f7dbc80c51b8667f4953e17dda583d27557d
- SSDEEP
  
  24576:tmGLzPLOXbuKR17zBXE+MXRHRg2yTEg863NzSxoopoo+F:v3jOyY7zB0+MXRHRg2iBrdzSqF
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  locales/x86/AGM.dll
- Size
  
  5.8MB
- MD5
  
  b39b8d45413692ff856e9ba907256c2f
- SHA1
  
  ab06b594a57b8bbe0f4c4ba80a12129953521667
- SHA256
  
  ee32f4cbba3a601d57064695a8ed5955e1b9af984110d34504b8d5ebb132c084
- SHA512
  
  1dcc8bbbc55ac27b0a0b96e28de73338b972e2998bc9c33439c32b721de811b2c9ecf6d7953dfbdfadcbcc0c64f56871d09ae953a449c516578e9e8b3e1df661
- SSDEEP
  
  98304:lUpuc5sPE5fMZywrovF+rMnV17FVgvhiWaOuBue5SlIN:cuMCEZ3wrovF+a5Z
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  locales/x86/AIDE.dll
- Size
  
  2.0MB
- MD5
  
  ad388ce4c2cc3aaff605994da782d57e
- SHA1
  
  f43c3f588c77a34e8b81b63247ac1d7657016050
- SHA256
  
  d3ba1adbfeef8f19e4aa570299c06d39a87dfc5fe3d85946270b722e44dacda7
- SHA512
  
  f8e8f0fc5d8e01f8afe1aac55d3a301fa0019c6e80099616abf5a41c09aeabd0294e4391ddac170c2cd5bcff0b9e9cb4b559a2eca50a273e398083542065e27b
- SSDEEP
  
  49152:h50rEANbHm4w0H5QZXjr/nZA9XANcZ4T5lQ:b0rEcbG4w0H5QZTrnZEmlu
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  locales/x86/Acrobat/Acrobat32OL.dll
- Size
  
  200KB
- MD5
  
  18e5a6296e02efb842fb3d11ca0c7c63
- SHA1
  
  1a774bc3ec960bf1d639b883ba34de0a101748a8
- SHA256
  
  629b4cef2c394c6a1fad37e5ac6f497b3bdac489270d54f4e98c5dfc925ea883
- SHA512
  
  66fe300a275d0dc403479668a3120e6eb9a84a28736e64b24afc37298e556589b40c191a83f5871b2ad1778e0a8a65f7a0878f29d409b2efb9d51531854c5198
- SSDEEP
  
  6144:tbL7Ohthut5BCRVS989WUY+7F4C9WOOS0mvpMJDJ2C7ejmj:xL7ObhG5BZUYiF4C9WOOS0m+JD
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  locales/x86/Acrobat/Onix32.dll
- Size
  
  745KB
- MD5
  
  e03d8bbcf584de58500efdac4c7b6a97
- SHA1
  
  7aac481128eda876bc111b0cb33e202c68ef1f93
- SHA256
  
  58cc0c31514e89a743c9b96c7892c256cd9daaa18bdcff784b8ddb1d5c15a163
- SHA512
  
  eb3346b4d93137476f57eb43c87e4160b5d85431e2e9a75fbf4250161414d290eead6bcdadb290e23f13158ea265da880ddef1cad4b12cce60c0fa9d4f95c3d2
- SSDEEP
  
  12288:JPuGQm/KqPd7dg3EPctRuVcnQUFkZrBzKWe5p7MQnowzk7NugLqKiaC3P2nYs8rh:gGQm/KqPd7dg3EPctRuVcnQUFkZrBzKz
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  locales/x86/AdobeXMP.dll
- Size
  
  887KB
- MD5
  
  7c3033588c1a187918cf3fd246069a3f
- SHA1
  
  2b637a9d37de604ae8e98fcbc73746ccc0402b31
- SHA256
  
  e958f4ed8272a96e599ff9f0a79331e7b5109104a9d20d3f760c7eb162daf7e0
- SHA512
  
  80d513d25477081c84af87e8127a02bb332204ad7399ac653a27ca726e446fd25518d36189bf90b10cbf34119d35501e006a2e06dbca5a96dc2348aff6b6fe91
- SSDEEP
  
  24576:7CaZsdfNjJaN0OdQfLCKVkDavzVi5p5bafAAy4:7ZspNQVQdkahi5zaf5R
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  locales/x86/BIB.dll
- Size
  
  119KB
- MD5
  
  404de37b800b661ebfaa218b20c8c0c6
- SHA1
  
  2a2416b663ee9d9ec6325d2c70bf05be27a73eac
- SHA256
  
  ca53407b356fcdea51a6d536447ed6b88ad14c87facf421080d141cae837eedc
- SHA512
  
  e6d66bcb0da4ca5456dab376385c73a918fc13c4b0ab9a05d2324dbb7a9fcf197d727acfbedb15e55452b916c9afde0ed01b233868a88ae0f34ee01306289430
- SSDEEP
  
  3072:x9mmiJ1WvqJ7fW7n/WY0EZrZsibdumKr9igRsNpKN02+OzHwn:TkaqJi7M0dO
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  locales/x86/BIBUtils.dll
- Size
  
  170KB
- MD5
  
  79622b56347c1fd44b74bd4ea74cb813
- SHA1
  
  51c1e13a4b5aad657c570149c529dd4963adf77a
- SHA256
  
  0f2b3d012a9abe420bc36c62847bba6ca4478ceebc018bad2b19f22d481fcc10
- SHA512
  
  ebc329e0d1d869107043e5b0a0e05d4322fa0a2bbc2c30411d51ce1b4b33778ee94f82ad072cc8cf75222f488e52bf52dfb7481edfdef3e39fd58259685ad195
- SSDEEP
  
  3072:0VMWnX3e6TCL2ssOGpibdy1ZLKDZW7TPtAlgeoVA/sis/zquLtyQh1g:0JnHeKk2s03q0nh
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  locales/x86/CoolType.dll
- Size
  
  3.2MB
- MD5
  
  6fb9f15b6a1dd1ee9cdb9b4ef290d69e
- SHA1
  
  c5955655e9b96004a72bbb09aa72996f3ddaa539
- SHA256
  
  d4a0db913fa555808ce627114fe6e2725970499c70364edbedf47d907d52242d
- SHA512
  
  24be26d2e0dc3e05f786ce3eee815247261fe99e1bff08e689d71bf68e7d5340e942aaaefd9203569f63c23a5f5cb46c1ff6a2d91f2753fd6d78240fffa7beed
- SSDEEP
  
  49152:37sVoVC47fsPVTs57ovd2MMg6NYpnd3EQUyfha+P/u6LSXvowU7u9qRXApP4Cqrt:37RCwfsdTk+dlb73ELyfhlf9K4Cqi3
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  locales/x86/JP2KLib.dll
- Size
  
  508KB
- MD5
  
  73c0da5c825e3a2275dbef4f8dae0813
- SHA1
  
  6f6191867fddf3c284066dd855512198c509d64c
- SHA256
  
  979851cac4a2a0e394f06ca7139d7402911048b094f550dd9b33d1203ae92862
- SHA512
  
  aa01cba77cf94d3a4c66ac7169414d4d7f91d8965d312bb46430b766affe0ff93c241a84ad9e1796c08c28fcbc613c9d98cde37b2b4914e801abff6c638a111b
- SSDEEP
  
  12288:tskp3VH/G2LrUUIGVC3hCDfF5AzO5qkkZalIf+AGzVYu5uRcyef0njWcArh45j:tsK3VH/dlIGAGzqu07ef0qO
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Vidar Stealer

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32