General
-
Target
Unlock_Tool_v2.5.3.exe.zip
-
Size
776KB
-
Sample
241108-zyqdvazelr
-
MD5
1c205ef0f9090e173774baf6cc16db41
-
SHA1
ddcd1dcdad8318174bcdb42bf63e7fd81e9dfb29
-
SHA256
d9968e713bc0c0236ce95464f670b18fe5f61b218f0360efb3b6c84f1751a80c
-
SHA512
004f0bdf5d7678028269eba66ee092f1819802337336b774a500c238778e15d6588b008cc21890c8150347df2f14ed81a2799ba345b9402aced02ae5129e40cc
-
SSDEEP
12288:4BThI5spy/QJeBV6QVbIhm6PGVd7I2VsvkHxh2DzarHc1tiLXCYoO0C9K:4BaWy/NBvEE6+DI9/P1t/YoO0C9K
Static task
static1
Behavioral task
behavioral1
Sample
Unlock_Tool_v2.5.3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Unlock_Tool_v2.5.3.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
vidar
https://t.me/gos90t
https://steamcommunity.com/profiles/76561199800374635
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Targets
-
-
Target
Unlock_Tool_v2.5.3.exe.bin
-
Size
1014KB
-
MD5
f42bf5672f267e2c91ab15cf5e62a65b
-
SHA1
91a7fe6ae7b7d65f1d5fd0331e5a5114e00774ba
-
SHA256
47f4e44456ec5a1e8cd427c76bfbe12285ecf5e4e6b0d0e20114527c5948f1cd
-
SHA512
2f76684191aa3e186db40d30a606cb0118995e80014ed5f2a2551b9e09ecf82d560fdf7837f5216ae5b51c062b7668dab7770562dd932aee9c4dd879ffdf014a
-
SSDEEP
12288:A4tEnhbou8tI4N1dM16AO9pRL/y7NEoGYW7p9nOmeymPOtanSX3XxPWxQ1MFMHwF:BtBDay3Gho1fkdQT6mdb9eEnuvr7v
Score10/10-
Detect Vidar Stealer
-
Vidar family
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Authentication Process
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4