General

  • Target

    ae21d1625a332105fa099e45f15945dcfbd0e088bc357398c5b9036be80c8b9e.zip

  • Size

    1.1MB

  • Sample

    241116-naq5pavhme

  • MD5

    a21d3b50943ba289f87af6c1697ac027

  • SHA1

    6f9f8498065665fa94c78a6a55167f5af4e7aaf7

  • SHA256

    ae21d1625a332105fa099e45f15945dcfbd0e088bc357398c5b9036be80c8b9e

  • SHA512

    3eeac3ad53668dccd4f7b5a4008f57e7fdb54bf483b7e4026ea8b7908adc2919caf454adcc6ec203ccc829edaeec1e2d8edf469f00900de51bbec28db569efde

  • SSDEEP

    24576:LRv4rv+4bIk+1xjY54255J2N/VR80XuW0t/7J+5tyn7L0i:lY+4u15oJ54XRtu/mt80i

Malware Config

Extracted

Family

vidar

Version

11.7

Botnet

832ff6075d875436124f2744cc55913a

C2

https://t.me/m07mbk

https://steamcommunity.com/profiles/76561199801589826

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Targets

    • Target

      InstaIIer.exe

    • Size

      41.0MB

    • MD5

      136d8eeb91c5fa33ff2049b441929788

    • SHA1

      58c0e21ec68c7c499b442c8ec2e820adf1fd15ec

    • SHA256

      5667a73898a9134a736c6b56f25577ed3f9901dd17439de0dca545ac3cd1af16

    • SHA512

      d55552584088455d96656d3ac7b33195cbf0eb511bec47da66f37ff5874fb489d69fa0eb9e1cccb3bdb431ceee835c2cb62833f420a8efcec4ee44439090a1fa

    • SSDEEP

      24576:5z0wSWUTxMWv3LPO9dOV8kS8FTVuFK76/KvHM:5z0wSWUTxM2PO9wV8kS8FTV5n

    • Detect Vidar Stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      re86x.dll

    • Size

      177.8MB

    • MD5

      a17f011e58699c816cb3511fc14a5e3d

    • SHA1

      4a69475a7d523239f61d2fca759c35776d256eb0

    • SHA256

      be3283d6c64766a6d950a93f42164e82f93d30409697a693a7a6d8759935abdd

    • SHA512

      c5d1864bae174a523bc52026107f05de00f64401ea1a0bd037ea4eedba9abcace1e17381b3f33ced4e7ee8d54bba1b9b184750883c3a2a9feacf1dcb8ad62157

    • SSDEEP

      24576:VJ1jpSL+6UfDq80kdLx5IyYIfNvLw94Sx7aPuIaWutQrXttq89PZV53rnN7rjRLT:P1jpKNUfDq80kdDIyYIxa4Sx7aP

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks