General
-
Target
Unlock_Tool_v2.6.7.exe
-
Size
976KB
-
Sample
241119-sglk1axejb
-
MD5
a8221418531cae557b8a39da95ce6997
-
SHA1
38b1c45753cf6bdca60403915ce54fdc672f56cb
-
SHA256
3fdc9301e70c0292761c668e731b38f1c66b4cad6ca81d4f1c56b917416a2364
-
SHA512
03ae7964ecc6a98b601b0eadcfd59e5d15095448b0687adca35151f1caa466422ccc001130bd33ef326afbe234acd19ff1f94f5e600e67180feb3abcead0b76e
-
SSDEEP
24576:kl7x9P6faKSfQXHDs+kig6+3flOXHDs+kig6+3flO+:kJ7P6CKSfQY+kPV3fwY+kPV3fw+
Static task
static1
Behavioral task
behavioral1
Sample
Unlock_Tool_v2.6.7.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Unlock_Tool_v2.6.7.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
vidar
11.8
68fa61169d8a1f0521b8a06aa1f33efb
https://t.me/fu4chmo
https://steamcommunity.com/profiles/76561199802540894
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Targets
-
-
Target
Unlock_Tool_v2.6.7.exe
-
Size
976KB
-
MD5
a8221418531cae557b8a39da95ce6997
-
SHA1
38b1c45753cf6bdca60403915ce54fdc672f56cb
-
SHA256
3fdc9301e70c0292761c668e731b38f1c66b4cad6ca81d4f1c56b917416a2364
-
SHA512
03ae7964ecc6a98b601b0eadcfd59e5d15095448b0687adca35151f1caa466422ccc001130bd33ef326afbe234acd19ff1f94f5e600e67180feb3abcead0b76e
-
SSDEEP
24576:kl7x9P6faKSfQXHDs+kig6+3flOXHDs+kig6+3flO+:kJ7P6CKSfQY+kPV3fwY+kPV3fw+
-
Detect Vidar Stealer
-
Stealc family
-
Vidar family
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Authentication Process
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4