Overview

overview

10

Static

static

1

S0FTWARE.zip

windows7-x64

1

S0FTWARE.zip

windows10-2004-x64

10

S0FTWARE_(...4).zip

windows7-x64

1

S0FTWARE_(...4).zip

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    S0FTWARE.zip

  • Size

    152.1MB

  • Sample

    241020-xggdhathje

  • MD5

    c4e6c468339dec6f0a3129bb418de4e8

  • SHA1

    da45658d7c47c66e825436896cb157294d9c0419

  • SHA256

    d213b75523db2e3678178d0cb992aa0a1a6e0b7378578e638160b9bf30d23815

  • SHA512

    d4a0e2361b879095033d5345b167b134da868ad6cffc7c447cad2844e9d42f7c212d0f1a79dcb523870ef24c20f4c5c39873203319ac7f02d8d498bdbb36653d

  • SSDEEP

    3145728:m1cZZPJb63kzIvNI9Wt2ij4Hv8j9oe2APzKqMbplU0weB/FoEIEQOjYDLxJJ:kAZPJbIkzIVIjij4HeorAPzdMvUd6h3k

Score
10/10
vidarxmrig467d1313a0fbcd97b65a6f1d261c288fcredential_accessdiscoveryevasionexecutionminerpersistencespywarestealerupx

Malware Config

Extracted

Family

vidar

Version

11.1

Botnet

467d1313a0fbcd97b65a6f1d261c288f

C2

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Targets

    • Target

      S0FTWARE.zip

    • Size

      152.1MB

    • MD5

      c4e6c468339dec6f0a3129bb418de4e8

    • SHA1

      da45658d7c47c66e825436896cb157294d9c0419

    • SHA256

      d213b75523db2e3678178d0cb992aa0a1a6e0b7378578e638160b9bf30d23815

    • SHA512

      d4a0e2361b879095033d5345b167b134da868ad6cffc7c447cad2844e9d42f7c212d0f1a79dcb523870ef24c20f4c5c39873203319ac7f02d8d498bdbb36653d

    • SSDEEP

      3145728:m1cZZPJb63kzIvNI9Wt2ij4Hv8j9oe2APzKqMbplU0weB/FoEIEQOjYDLxJJ:kAZPJbIkzIVIjij4HeorAPzdMvUd6h3k

    Score
    10/10
    vidarxmrig467d1313a0fbcd97b65a6f1d261c288fcredential_accessdiscoveryevasionexecutionminerpersistencespywarestealerupx

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      S0FTWARE_(password_1234).zip

    • Size

      152.1MB

    • MD5

      9b5fa5c55c90343d37c37f6146351bbb

    • SHA1

      e3e58468022671236cae687902194efc68bb79f3

    • SHA256

      17c653e206918c482ecb2c2cce6261d8b92f3f9d5c926f8daef4f25451ff8207

    • SHA512

      c4e7f43fb8479de467eacebe7f3784293b22faa0faedf106341464dfe9f41bdc31fdfc784f4e3ee66bf06f543a47369977e31d20a14e729863e74448d121dee7

    • SSDEEP

      3145728:KMSxp7GQQRIhWBxKJSf6yjcH1Cl9eU4MP/uKIdR3wG+ULX5A66uqsjNmvjdPb:5wp7GQ6IhWfKdyjcHEe/MP/vIHwZYpda

    Score
    1/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Power Settings

1
T1653

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks