General

  • Target

    Unlock_Tool.zip

  • Size

    49.7MB

  • Sample

    241110-lya29svanq

  • MD5

    b94ff5c9d88bb94471136eb639a64420

  • SHA1

    c2b2053f395f50a82503b084af65e8e803efabc9

  • SHA256

    1f7746f66fe34a60c699d206480985db98616fa0c5bb990db70d808efe0ffd22

  • SHA512

    cea383399d2d2b94e50e92948faf3d5403100edd76d17b108ba06e7560834cee6d73924df581e47fd8f55b82bff2c45fe2fa2685d64c9ceec28698ae41bb7c96

  • SSDEEP

    1572864:6aM2esxP+a3sRkaLwu/0WBJAZ229eBddBe7EDfNMAO:VMna8Pwa0m222Sd26vO

Malware Config

Extracted

Family

vidar

C2

https://t.me/gos90t

https://steamcommunity.com/profiles/76561199800374635

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Targets

    • Target

      Unlock_Tool_v2.5.6.rar

    • Size

      49.7MB

    • MD5

      720f68e1a57f1881b0dcbfecdfc0b3bf

    • SHA1

      7662d996406bbd32ea2baa20ae469321bc87ee2d

    • SHA256

      edf2f2b1325eff120bef7a2414e367cd60efcc8d4256ba884d753cda39b1f381

    • SHA512

      9e58a26de7fffe731bba8625529b811475a03b60860e705e4cbb51eb9ba7fa060731e93d8fee271adda12e6d7a370277ede27dd7afaf449f06d99795d3a46cd1

    • SSDEEP

      1572864:7aM2esxP+a3sRkaLwu/0WBJAZ229eBddBe7EDfNMAG:eMna8Pwa0m222Sd26vG

    • Detect Vidar Stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks