General

  • Target

    RalphCvs.exe

  • Size

    863KB

  • Sample

    241218-r4e63asnat

  • MD5

    1f4548aac2c166bacd286c6f5243908f

  • SHA1

    4f1aa4c962860e6c80c626c367ce60b87fc62022

  • SHA256

    023b8573a4295c5f78f6e89b13062e5c185d74e57d2b1c8ec066393bba87313a

  • SHA512

    889bb965859ef077ced15d0f15e4c75b743726582841b72b9634f958749671325965a1ee99c680d72db1b19a5b05a4868b7017baa73c7b88673a96689e32ce93

  • SSDEEP

    24576:wy0fEYxFMyNiAX1dwhCEcAXWnKu4UaOa1/lLD:3AjP1dwhCVvnKXUaOU/lLD

Malware Config

Targets

    • Target

      RalphCvs.exe

    • Size

      863KB

    • MD5

      1f4548aac2c166bacd286c6f5243908f

    • SHA1

      4f1aa4c962860e6c80c626c367ce60b87fc62022

    • SHA256

      023b8573a4295c5f78f6e89b13062e5c185d74e57d2b1c8ec066393bba87313a

    • SHA512

      889bb965859ef077ced15d0f15e4c75b743726582841b72b9634f958749671325965a1ee99c680d72db1b19a5b05a4868b7017baa73c7b88673a96689e32ce93

    • SSDEEP

      24576:wy0fEYxFMyNiAX1dwhCEcAXWnKu4UaOa1/lLD:3AjP1dwhCVvnKXUaOU/lLD

    • Detect Vidar Stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks