General
-
Target
187431ab5b75e331a4b2e288f6bc72a19b0d547292a6cd3c08eac3764ad7242d
-
Size
8.4MB
-
Sample
241115-xsx6dszdqg
-
MD5
6a06b0cb0a44c80e367633766b07d871
-
SHA1
3625be47348e571db18d07074965414179f7fe0c
-
SHA256
187431ab5b75e331a4b2e288f6bc72a19b0d547292a6cd3c08eac3764ad7242d
-
SHA512
1c820cfab7a456033173a9790ac99def3d1395ba2b63952c7d8d2536950831868de626990fc78d9f5e4cf1f958dab0fe7669458e6389f1e17c13789697d8dd9a
-
SSDEEP
98304:AtLutqgCf44NYxtJpkxhGK333AYWc9wV8RWJqBb76ZZmGifrVnWMqvk9SQH:ZC1OxtJah+sw+W3bifhnAG3H
Behavioral task
behavioral1
Sample
187431ab5b75e331a4b2e288f6bc72a19b0d547292a6cd3c08eac3764ad7242d.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
187431ab5b75e331a4b2e288f6bc72a19b0d547292a6cd3c08eac3764ad7242d.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
vidar
11.5
6543812d3450fc197404a152bda5e701
https://t.me/gos90t
https://steamcommunity.com/profiles/76561199800374635
Targets
-
-
Target
187431ab5b75e331a4b2e288f6bc72a19b0d547292a6cd3c08eac3764ad7242d
-
Size
8.4MB
-
MD5
6a06b0cb0a44c80e367633766b07d871
-
SHA1
3625be47348e571db18d07074965414179f7fe0c
-
SHA256
187431ab5b75e331a4b2e288f6bc72a19b0d547292a6cd3c08eac3764ad7242d
-
SHA512
1c820cfab7a456033173a9790ac99def3d1395ba2b63952c7d8d2536950831868de626990fc78d9f5e4cf1f958dab0fe7669458e6389f1e17c13789697d8dd9a
-
SSDEEP
98304:AtLutqgCf44NYxtJpkxhGK333AYWc9wV8RWJqBb76ZZmGifrVnWMqvk9SQH:ZC1OxtJah+sw+W3bifhnAG3H
-
Detect Vidar Stealer
-
Vidar family
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Authentication Process
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4