Extracted

Extracted

Extracted

• • Target

    run.ps1

  • Size

    98B

  • MD5

    f06b8028feb204bc56013b2f961ea80c

  • SHA1

    8d5eeee9730fcd09b7e46b566d00b28458405457

  • SHA256

    cd1dab4f48894954a1c3fec77cb8af692a49853cb7b0c748021bbecbec8496c1

  • SHA512

    fbc4f28323c80ccd2faf9030aefecb47846aa379df61f6bcbcaf093691669f375cfcb09a519969d16e0e3b88faf5baaa0538faf3695c95595d501f3839bedc76

  Score

  10^/10

  executionvidarcredential_accessdiscoveryspywarestealer

  • Detect Vidar Stealer

    stealer

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar family

    vidar

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Powershell Invoke Web Request.

    execution

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist

    discovery
  behavioral1behavioral2