General
-
Target
d7d777bc94b68f632b4d8254c69cbf7bb4d21463ddc0127b629a6946b068b862.zip
-
Size
3.4MB
-
Sample
241116-qqh55a1mgm
-
MD5
e6f3212045537134b2f5ff7290241af1
-
SHA1
2a85a4c48b6a732937cf0bf63033693179b1cfb3
-
SHA256
d7d777bc94b68f632b4d8254c69cbf7bb4d21463ddc0127b629a6946b068b862
-
SHA512
5154fd892d93eb8abdf05bd6bf169a9c0ea124909aa0a0393b98e87fd446c07ecbb3942afec9a73bfd0a9159b7275088bae87677876021469dc0dce9122611bd
-
SSDEEP
98304:NltztvuwzT0N5kELs+A7BYRh1JoqSGCBYqg0opq+mobu/:NxvdzT0N5TLOYRhjhg5cpG
Static task
static1
Behavioral task
behavioral1
Sample
InsstallingFileX64_1.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
InsstallingFileX64_1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
rydg86x.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
rydg86x.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
vidar
11.7
93fc6460673f6002db33ceb23a9e1868
https://t.me/m07mbk
https://steamcommunity.com/profiles/76561199801589826
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Targets
-
-
Target
InsstallingFileX64_1.exe
-
Size
55.2MB
-
MD5
deae42628027ddba5be9da5d677cab1b
-
SHA1
258e78c53099ac93d5ccf96bdf4a6cdd7529e3ea
-
SHA256
0b3ec79d97a2e5edb398768cd1bc525fccca95eea9fbd5fe6ea6acfde3561a7a
-
SHA512
7b01d4b06f402ed2eef0fb9d16cd32170d16eeb871f48d26cf83e7c3b7803ba8b47d7568a14966c174bfbb1f5224d7ac09d89dfa987230716abc7fa693836cb4
-
SSDEEP
196608:IVnfEtQ78Kp6OL13ZTsUdXgDzQ7Md4fYATaN5iVWE3lEcmio7PIuGsCdm5kx00Fq:IVnMtQ78xd40Qls7PIxso00
-
Detect Vidar Stealer
-
Vidar family
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
rydg86x.dll
-
Size
41.0MB
-
MD5
94ede2f21ef711154e0e3221fa794a06
-
SHA1
7fbd93f1a91ce7d435e3ee43cd535b07560dc9ee
-
SHA256
dc2ae16c77466c63f0cc61caecbca5983837cee005213b884bccd8a2a9ed587f
-
SHA512
68c09124512779ef8c7d0c0fa5f445ac137017d7a0fc05db6e32c580b7d92614d0358ea2d8e9dfbc07479b993bb731b56cd6676de33b04cda78de00f8cc3425b
-
SSDEEP
196608:n3L3NL80mvor/pVpFnD426B+unfh+J/i9AQgS/6XAv8Mh3M1IcjfDGy2lndzVYSi:n3L3NLC26B8/AvP3MelndzVYcZI
Score3/10 -
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Authentication Process
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4