vidar | 3d98667d1a583f8d7b8ac000ba1df35b6ada283e4c9852162845e97f17ce8ea3 | Triage

Sharing

General

Target

3d98667d1a583f8d7b8ac000ba1df35b6ada283e4c9852162845e97f17ce8ea3.zip
Size

8.2MB
Sample

241016-by7q5awdkd
MD5

09539fd50ea85b584c1f55c0deb71329
SHA1

8a1ac479872d98cadd1ca47421c43086382e81ce
SHA256

3d98667d1a583f8d7b8ac000ba1df35b6ada283e4c9852162845e97f17ce8ea3
SHA512

a4c7f48677923146a284163cd26e7891cd8d3c9f5a69a1179a89b9323aaad5a245e4721716868a4d4988dcf2a796b5529f8300901e24922e0a0e48a553856da1
SSDEEP

196608:sIa9VVoU9Oih0I/8sigwwVlRW5ZSMuo06gq6e1Kqw5HSaP:srjVoU9Z0IUs3wwVlIIMuo06oe1dw5t

Score

10^/10

vidar 1ad2efbf0ceace651c61a55794eeb149 credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

11.1

Botnet

1ad2efbf0ceace651c61a55794eeb149

C2

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Targets

- Target
  
  handspecialisprot/handspecialisprot.exe
- Size
  
  8.2MB
- MD5
  
  e63f5a19c153dfe47509c7fc04055597
- SHA1
  
  490946abad697b842820cdf34a3e728dad356f2a
- SHA256
  
  7b7e1f0091db08d3b9508044e1861add62e956b614408e04e43843ccbe01d8fb
- SHA512
  
  3db8f19b305b8658e80947631b9ff6f8810e8f9254f0687c73cf0e3505a4679da12cf59f94077aa1b6aa00606d2f5dad12c5f1545720fc4409709e5211da6779
- SSDEEP
  
  196608:X+9fnWmR+m1aWLawiUQwrl767LoUu8Os4uWy92wAD1Ey:uJnWmRBaWmwPQwrliMUu8OsYy9bAD
Score

10^/10

vidar 1ad2efbf0ceace651c61a55794eeb149 credential_access discovery persistence spyware stealer
- Detect Vidar Stealer
  stealer
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vidar1ad2efbf0ceace651c61a55794eeb149credential_accessdiscoverypersistencespywarestealer