General

  • Target

    Rose_1_1_8.exe

  • Size

    16.5MB

  • Sample

    241108-zprwbazcrl

  • MD5

    49625fba23ac12f8cdb0b734496c2e7a

  • SHA1

    36ec931080b6429bb82c69c0dd8969121bde84c2

  • SHA256

    e7b3034bfa627da7f75355c156c5921072288b8fc29f2d7f3679416ec2d095a6

  • SHA512

    9eed52a96763edf76e14c26318bf276d0b37e74b5e53057b525d665ed71b5ffc945b96259e4ad45e165d2c96fe7d50e5bfb24f0553b1ef85ebbca976777431a9

  • SSDEEP

    393216:CKbBL/I5oCb+2owezwn0ubA3iRETxf0LbSHYzQCr4jIOq2ay+Mouf:hjI5V+BXJ+Dqh48a6HFIuf

Malware Config

Extracted

Family

vidar

C2

https://t.me/gos90t

https://steamcommunity.com/profiles/76561199800374635

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Targets

    • Target

      Rose_1_1_8.exe

    • Size

      16.5MB

    • MD5

      49625fba23ac12f8cdb0b734496c2e7a

    • SHA1

      36ec931080b6429bb82c69c0dd8969121bde84c2

    • SHA256

      e7b3034bfa627da7f75355c156c5921072288b8fc29f2d7f3679416ec2d095a6

    • SHA512

      9eed52a96763edf76e14c26318bf276d0b37e74b5e53057b525d665ed71b5ffc945b96259e4ad45e165d2c96fe7d50e5bfb24f0553b1ef85ebbca976777431a9

    • SSDEEP

      393216:CKbBL/I5oCb+2owezwn0ubA3iRETxf0LbSHYzQCr4jIOq2ay+Mouf:hjI5V+BXJ+Dqh48a6HFIuf

    • Detect Vidar Stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks