Overview

overview

10

Static

static

3

8d2f2dce70...1b.exe

windows7-x64

8

8d2f2dce70...1b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ceb5022b92f0429137dc0fb67371e901.bin

  • Size

    6KB

  • Sample

    241202-capfbaylap

  • MD5

    6de57865d1572dd4805b7b78f2ec2653

  • SHA1

    bc5f38915b800b543768e25dace4094b7f445181

  • SHA256

    fc812abc241fc10f63ab1ceb27fc190358780a268aee14a327de914c15efb185

  • SHA512

    bab5f62139310d4fa0786642f3a0bccdbbe8e055d67a7b01d3cf1d65a1cd96b02f3e05511a6bbc137dce46d8a54060a1ac6b4ce203ddef318cb3b5f5ea910728

  • SSDEEP

    192:TWqLJ8irF2chAL3PHceWXLLBHzYx3FD6UreXtF8c3K:yqLJl963Pcezx1DPefK

Score
10/10
stealcvidar41d35cbb974bc2d1287dcd4381b4a2a8discoveryexecutionstealer

Malware Config

Extracted

Family

vidar

Version

11.8

Botnet

41d35cbb974bc2d1287dcd4381b4a2a8

C2

https://t.me/fu4chmo

https://steamcommunity.com/profiles/76561199802540894
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Targets

    • Target

      8d2f2dce701f8dc555e74b53bfaf7a1337027adc7fadc094b2eba3bb5b688f1b.exe

    • Size

      12KB

    • MD5

      ceb5022b92f0429137dc0fb67371e901

    • SHA1

      999932b537591401dfa1a74df00dae99264bd994

    • SHA256

      8d2f2dce701f8dc555e74b53bfaf7a1337027adc7fadc094b2eba3bb5b688f1b

    • SHA512

      a7acdf417ef81f131c050bc8bd364edddf7a2ebc446c69411d549c14ca8967af7b8c8a2d4556018f148d1b57bc985e10104cdc72e2bed518cfe3280b0254a3d8

    • SSDEEP

      192:knUbCDQoJq4Hb0jPuiJddudb7Z+XX1cNIQKXy+AFtaffEOsSRMWSVP1W58:kg3MGWimFNIQKX4Fgf8OxRBSVU

    Score
    10/10
    discoveryexecutionstealcvidar41d35cbb974bc2d1287dcd4381b4a2a8stealer

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks