General
-
Target
0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
-
Size
199KB
-
Sample
241119-ha8rvasckp
-
MD5
a0d4a5a146297ed0f064776d81d4187e
-
SHA1
a065ef5b1b8b8b219a7bb1f62edcc9aeb28b120c
-
SHA256
0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42
-
SHA512
d06eee188a2b72215df30332f94014915d8eee70f0f67ae0e492535ca23bb0c04e395493031ac4742af4c6324bcbd71d626b0efd3095cf3e88d7ad042f6ee185
-
SSDEEP
1536:toMjJTi7pcXGRhUfJdU4I6GI4Hp/OrbdJmFLDKPWZcUbpZ6707xD7uYzEHe:thTi/UfJK4Inp2bdUFfKPWZR6EKYzE+
Static task
static1
Behavioral task
behavioral1
Sample
0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
vidar
11.7
743557e2e05a2f4a9ccf330c65d00fe9
https://t.me/m07mbk
https://steamcommunity.com/profiles/76561199801589826
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Targets
-
-
Target
0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
-
Size
199KB
-
MD5
a0d4a5a146297ed0f064776d81d4187e
-
SHA1
a065ef5b1b8b8b219a7bb1f62edcc9aeb28b120c
-
SHA256
0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42
-
SHA512
d06eee188a2b72215df30332f94014915d8eee70f0f67ae0e492535ca23bb0c04e395493031ac4742af4c6324bcbd71d626b0efd3095cf3e88d7ad042f6ee185
-
SSDEEP
1536:toMjJTi7pcXGRhUfJdU4I6GI4Hp/OrbdJmFLDKPWZcUbpZ6707xD7uYzEHe:thTi/UfJK4Inp2bdUFfKPWZR6EKYzE+
-
Detect Vidar Stealer
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar family
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Authentication Process
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4