Overview

overview

10

Static

static

1

.hta

windows7-x64

10

.hta

windows10-2004-x64

10

Resubmissions

23-12-2024 13:11

241223-qe4yfszrgj 10

23-12-2024 12:31

241223-pqanbazjcs 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    .

  • Size

    722B

  • Sample

    241223-pqanbazjcs

  • MD5

    4f2067f591d1db46908f42c461b43bc8

  • SHA1

    dbb6c2be0345648645105f5f8646662e319a01ba

  • SHA256

    edebb1c19818a5dc2f09d95f6852c328e9427bc460c3517b543cdf101fba7d84

  • SHA512

    5fde4eea4445de8ac73e510c43475b025d12d8f4e9c71e230d7b99a49efc8c6fa381bcda09295c26afb294bd67cf0a63c20f538dd3b66b702ca9f1ac75bf1c9a

Score
10/10
vidarcredential_accessdiscoveryexecutionspywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://polovoiinspektor.shop/secure/login.txt

Targets

    • Target

      .

    • Size

      722B

    • MD5

      4f2067f591d1db46908f42c461b43bc8

    • SHA1

      dbb6c2be0345648645105f5f8646662e319a01ba

    • SHA256

      edebb1c19818a5dc2f09d95f6852c328e9427bc460c3517b543cdf101fba7d84

    • SHA512

      5fde4eea4445de8ac73e510c43475b025d12d8f4e9c71e230d7b99a49efc8c6fa381bcda09295c26afb294bd67cf0a63c20f538dd3b66b702ca9f1ac75bf1c9a

    Score
    10/10
    discoveryexecutionvidarcredential_accessspywarestealer

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks