General

  • Target

    Unlock_Tool_v2.6.5.exe

  • Size

    1.5MB

  • Sample

    241118-js9yassfjm

  • MD5

    7f643a82dae83643c8a2a3e64c65f0aa

  • SHA1

    08fe6e3de174dd886596f31559237174e451adfb

  • SHA256

    eac2023507aa414efd29baf156116048e88a00ad1d4b017fe713b83779eba0f7

  • SHA512

    3332c882f11c53e1dff374541747b3c2d6be253b86e88e60764a366bb0f03fa878210f91b3f59a0a8aa65aaf1e6ddc0a65d81654f4b4c691c92a925b641f0a1a

  • SSDEEP

    24576:m1V5bEb5v837jDHNCFYC/kNMqc5wwcotkPh2sQoarP1wRB4Z:yfxCFNGMql5PnQoaj2RB4

Malware Config

Extracted

Family

vidar

Version

11.8

Botnet

68fa61169d8a1f0521b8a06aa1f33efb

C2

https://t.me/fu4chmo

https://steamcommunity.com/profiles/76561199802540894

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Targets

    • Target

      Unlock_Tool_v2.6.5.exe

    • Size

      1.5MB

    • MD5

      7f643a82dae83643c8a2a3e64c65f0aa

    • SHA1

      08fe6e3de174dd886596f31559237174e451adfb

    • SHA256

      eac2023507aa414efd29baf156116048e88a00ad1d4b017fe713b83779eba0f7

    • SHA512

      3332c882f11c53e1dff374541747b3c2d6be253b86e88e60764a366bb0f03fa878210f91b3f59a0a8aa65aaf1e6ddc0a65d81654f4b4c691c92a925b641f0a1a

    • SSDEEP

      24576:m1V5bEb5v837jDHNCFYC/kNMqc5wwcotkPh2sQoarP1wRB4Z:yfxCFNGMql5PnQoaj2RB4

    • Detect Vidar Stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks