Extracted

• • Target

    017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455

  • Size

    5.5MB

  • MD5

    2b74fd898c6ca79faa64f3d9cae268d4

  • SHA1

    206353bb5b604968e4821e115748f9aa3df6a671

  • SHA256

    017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455

  • SHA512

    d7e7744acf93868df00ac8be04dd4f35dbd9ec984f69899fa815692b41911f3a7dc8d81d2f12ee72a6b945f83db21fc50665769da5d3fb205ef25b8ddd151ac7

  • SSDEEP

    98304:QoxgTUyKDV4dn82Ytf6IkQHWmXneKPpfmncntCkHx+Ji3MLepmWr34Dfr:NyKx4dn82Ytyz1yNpfmn+tCux+8m9M4D

  Score

  10^/10

  vidard165eae423b0d6c5abd85327c20d845ddefense_evasiondiscoveryevasionexecutionpersistencestealer

  • Detect Vidar Stealer

    stealer

  • Modifies security service

    evasion

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Creates new service(s)

    persistenceexecution

  • Drops file in Drivers directory

  • Sets service image path in registry

    persistence

  • Stops running service(s)

    evasionexecution

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Loads dropped DLL

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2