Resubmissions

19-11-2024 19:46

241119-yhglbswman 1

19-11-2024 19:42

241119-ye2gbs1cqf 1

19-11-2024 19:37

241119-ybvvda1hpp 10

General

  • Target

    Unlock_Tool.zip

  • Size

    49.5MB

  • Sample

    241119-ybvvda1hpp

  • MD5

    e8337f9891f2d8d17adfe3d612a9591d

  • SHA1

    6c4752f2a8ab432cdea8c62050996c92b775debc

  • SHA256

    60fb07e0ee62f326fd549235eb4d672133af86efccf0a72465c60e18165d3d74

  • SHA512

    02146be10a81cc7f51932b877e28447911107550d0969a4fc27ee056beaa6f4883a3d4746aa6337538f55986fa039f3d5d227a6eb8b303e353de30c225c1170f

  • SSDEEP

    786432:n7stHfy75Fu6upTSWMvz8CB9HSs0o6qx7G00chS1IwCMMXkzf1pinf1f63:nx5Fu6vWISAnMcI1IwCrU7w63

Malware Config

Extracted

Family

vidar

Version

11.8

Botnet

68fa61169d8a1f0521b8a06aa1f33efb

C2

https://t.me/fu4chmo

https://steamcommunity.com/profiles/76561199802540894

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Targets

    • Target

      Unlock_Tool_v2.6.7.rar

    • Size

      49.5MB

    • MD5

      4b451061edc32d1712e113e60e606c35

    • SHA1

      ea13c95654f1a9f0c06a6b128cf983d188535c35

    • SHA256

      b93eed36cc9c66d3052950b1db08549a567a94a176dd44ec7f63bc5a98d92ca1

    • SHA512

      4cc79b6ae84ed2c8b938702e10af49a3bf2f5bc2ca0349faa8f2b015b19f4e52305d6a64e3e206071db369870a32045b640ea324966b54659d8f7d6654ebb8f2

    • SSDEEP

      786432:17stHfy75Fu6upTSWMvz8CB9HSs0o6qx7G00chS1IwCMMXkzf1pinf1f6Z:1x5Fu6vWISAnMcI1IwCrU7w6Z

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks