General
-
Target
sgx4824p.exe
-
Size
1.7MB
-
Sample
241110-s1hy8azbqk
-
MD5
6309329d5a036aacee830839f82c5b2a
-
SHA1
6862500fdd7e9741ac7b54ee2d7060e5e28d7f52
-
SHA256
7305c4bb03ec5c017a4297e7e47d7749e56ca5bb56d3d5399a37cd0ae6b3bfd0
-
SHA512
0f0b56e70d88418bba971d28c42b16534dd16d706d0b9bb9b372b80860ff579eed8c0a3984654933ac5b6717aa34a2bcf6c1a78f6ea45e0953b3a9fcd85737f2
-
SSDEEP
49152:OgPGoI4XaGI4pipxxgBEX+hlqeMUxQ0LV2D5Rw9KxKUuKyL:O34XaNoq0E+ieMuQ4VYw9Kxc
Static task
static1
Behavioral task
behavioral1
Sample
sgx4824p.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
sgx4824p.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
vidar
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199794498376
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Targets
-
-
Target
sgx4824p.exe
-
Size
1.7MB
-
MD5
6309329d5a036aacee830839f82c5b2a
-
SHA1
6862500fdd7e9741ac7b54ee2d7060e5e28d7f52
-
SHA256
7305c4bb03ec5c017a4297e7e47d7749e56ca5bb56d3d5399a37cd0ae6b3bfd0
-
SHA512
0f0b56e70d88418bba971d28c42b16534dd16d706d0b9bb9b372b80860ff579eed8c0a3984654933ac5b6717aa34a2bcf6c1a78f6ea45e0953b3a9fcd85737f2
-
SSDEEP
49152:OgPGoI4XaGI4pipxxgBEX+hlqeMUxQ0LV2D5Rw9KxKUuKyL:O34XaNoq0E+ieMuQ4VYw9Kxc
Score10/10-
Detect Vidar Stealer
-
Vidar family
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Authentication Process
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4