General

  • Target

    noll.exe

  • Size

    384KB

  • Sample

    241218-mg376awmhr

  • MD5

    d78f753a16d17675fb2af71d58d479b0

  • SHA1

    71bfc274f7c5788b67f7cfae31be255a63dcf609

  • SHA256

    ad9c40c2644ff83e0edbc367c6e62be98c9632157433108c03379351fe7aeca5

  • SHA512

    60f4ebe4226fae95f6f1767d6f5fff99f69a126f0c827384c51745c512f495b001051d4273ca23bc177ec2c0511ec7f9ae384e3a5e88e29ce278ac45a55a39b8

  • SSDEEP

    6144:elqPvKpKJNJGyRlyY8aSp0Vbux0R4kF/Y/o8+:emRJNMalyjaO0Ix6BY/s

Malware Config

Extracted

Family

vidar

Version

11

Botnet

2ee1445fc63bc20d0e7966867b13e0e1

C2

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Targets

    • Target

      noll.exe

    • Size

      384KB

    • MD5

      d78f753a16d17675fb2af71d58d479b0

    • SHA1

      71bfc274f7c5788b67f7cfae31be255a63dcf609

    • SHA256

      ad9c40c2644ff83e0edbc367c6e62be98c9632157433108c03379351fe7aeca5

    • SHA512

      60f4ebe4226fae95f6f1767d6f5fff99f69a126f0c827384c51745c512f495b001051d4273ca23bc177ec2c0511ec7f9ae384e3a5e88e29ce278ac45a55a39b8

    • SSDEEP

      6144:elqPvKpKJNJGyRlyY8aSp0Vbux0R4kF/Y/o8+:emRJNMalyjaO0Ix6BY/s

    • Detect Vidar Stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks