General

  • Target

    edb06363f2f9c31efa5019478e0b90246293ea89480123398fe914b180edf4a8.zip

  • Size

    450KB

  • Sample

    241111-dpmqpssamg

  • MD5

    e5f2ec0907c102aa4e2c2b5473708294

  • SHA1

    50215094e82901e07cc89a42d405aa8f06996043

  • SHA256

    edb06363f2f9c31efa5019478e0b90246293ea89480123398fe914b180edf4a8

  • SHA512

    75b97973d8e1798d32347186cee66b6a874e189334a5cbf3792c0de5c058d3a77f984903b08721127181baaca00e8fbfba11667e025cc895ecf2d7586d0fac27

  • SSDEEP

    6144:3M3nR/2hbXQVi0sVFjKML27pPVkljk10plqxoiMVQsHsxjldgMZSJx89:3MXd2hbXQViNgptoTTnMxJJw6

Malware Config

Extracted

Family

vidar

C2

https://t.me/gos90t

https://steamcommunity.com/profiles/76561199800374635

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Targets

    • Target

      InsstallingFileX64.exe

    • Size

      50.2MB

    • MD5

      bed89eae60b75ce8d2218a897be3a394

    • SHA1

      627cb8cef91a14b1053aadfc34b7abf12bd654aa

    • SHA256

      de0eb08fe4ecc4e8a7b78c736a497f94c74c15ac7e5cf97869d4d2a6b3ce421f

    • SHA512

      636f856fc66feb44e9b323453cf39029628e3ff328ba63ffa5bc4bdc126ef1a3e7c7b1a83ab86bc562e65182f3cbc386ac375c33a7d7b7c290792037e97a315f

    • SSDEEP

      6144:aoNqg+ua4U+c2MpXZAd/kfvuFN2Ea+4blIoNPmGRw2f1LO4:tou1c2MFiNQlIrGWK9

    • Detect Vidar Stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      hgr86x.dll

    • Size

      36.0MB

    • MD5

      a4687ac356af5beafd27cbb9759294d7

    • SHA1

      381b315a0df9d29582cb0e6e3e7c03489fd79b7e

    • SHA256

      c07072078a40391a727de98be712f29caa2bf570906580355d8b22ae4f98df03

    • SHA512

      0526e5ca3d91c398793c52d5acd71a73b02dcb4904604d80b2a212af445a45886d0ad0b9ad95a78c7db93656fe184afc26451241d773f954aff77c0fb25604c3

    • SSDEEP

      24576:CQ7E9v4Uh1UNoaL3+GsnuY8JVlKI0yaZ+ZzAEAif:w9

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks