General

  • Target

    Unlock_Tool_v2.5.6.rar

  • Size

    49.7MB

  • Sample

    241110-qf96vsxfqd

  • MD5

    720f68e1a57f1881b0dcbfecdfc0b3bf

  • SHA1

    7662d996406bbd32ea2baa20ae469321bc87ee2d

  • SHA256

    edf2f2b1325eff120bef7a2414e367cd60efcc8d4256ba884d753cda39b1f381

  • SHA512

    9e58a26de7fffe731bba8625529b811475a03b60860e705e4cbb51eb9ba7fa060731e93d8fee271adda12e6d7a370277ede27dd7afaf449f06d99795d3a46cd1

  • SSDEEP

    1572864:7aM2esxP+a3sRkaLwu/0WBJAZ229eBddBe7EDfNMAG:eMna8Pwa0m222Sd26vG

Malware Config

Extracted

Family

vidar

C2

https://t.me/gos90t

https://steamcommunity.com/profiles/76561199800374635

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Targets

    • Target

      Unlock_Tool_v2.5.6.rar

    • Size

      49.7MB

    • MD5

      720f68e1a57f1881b0dcbfecdfc0b3bf

    • SHA1

      7662d996406bbd32ea2baa20ae469321bc87ee2d

    • SHA256

      edf2f2b1325eff120bef7a2414e367cd60efcc8d4256ba884d753cda39b1f381

    • SHA512

      9e58a26de7fffe731bba8625529b811475a03b60860e705e4cbb51eb9ba7fa060731e93d8fee271adda12e6d7a370277ede27dd7afaf449f06d99795d3a46cd1

    • SSDEEP

      1572864:7aM2esxP+a3sRkaLwu/0WBJAZ229eBddBe7EDfNMAG:eMna8Pwa0m222Sd26vG

    • Detect Vidar Stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks