General
-
Target
https://drive.usercontent.google.com/u/0/uc?id=1ZfsxDG_eEU3TT3O0UErfL_QcfBU9vzwn&github
-
Sample
241120-3epvrawfpk
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.usercontent.google.com/u/0/uc?id=1ZfsxDG_eEU3TT3O0UErfL_QcfBU9vzwn&github
Resource
win11-20241007-en
Malware Config
Extracted
vidar
11.8
68fa61169d8a1f0521b8a06aa1f33efb
https://t.me/fu4chmo
https://steamcommunity.com/profiles/76561199802540894
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Targets
-
-
Target
https://drive.usercontent.google.com/u/0/uc?id=1ZfsxDG_eEU3TT3O0UErfL_QcfBU9vzwn&github
-
Detect Vidar Stealer
-
Stealc family
-
Vidar family
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Accessibility Features
1Component Object Model Hijacking
1Modify Authentication Process
1Privilege Escalation
Event Triggered Execution
2Accessibility Features
1Component Object Model Hijacking
1Defense Evasion
Modify Authentication Process
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1