vidar

General

Target

S0FTWARE.rar
Size

17.1MB
Sample

250203-x6pq6s1jas
MD5

bf2021fb9b6d85e50f4f506e7c65222c
SHA1

f2ef73d4baaef3d3081e92efd7c748595dedad55
SHA256

438d6c2d58ecf3acd3ad86b69b17519824a5b51a51698fa48507494c27570859
SHA512

c880cbc1633b2eafb2235b0d8ec6322c10f5a66867e1b2018499614acfb9c170e9f2d35e76d9c7b637d26be10c3543ed3e62c71cf526758784d592c00edfae31
SSDEEP

393216:oedpFDl0qmjH67roK/2FCvdTjS5Do2Qx79VXzh3QQ00U64:xpFDCqmjHe2FCvdnsDMZVhCXx

Score

10^/10

Malware Config

Extracted

Family

vidar

C2

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Targets

- Target
  
  S0FTWARE.rar
- Size
  
  17.1MB
- MD5
  
  bf2021fb9b6d85e50f4f506e7c65222c
- SHA1
  
  f2ef73d4baaef3d3081e92efd7c748595dedad55
- SHA256
  
  438d6c2d58ecf3acd3ad86b69b17519824a5b51a51698fa48507494c27570859
- SHA512
  
  c880cbc1633b2eafb2235b0d8ec6322c10f5a66867e1b2018499614acfb9c170e9f2d35e76d9c7b637d26be10c3543ed3e62c71cf526758784d592c00edfae31
- SSDEEP
  
  393216:oedpFDl0qmjH67roK/2FCvdTjS5Do2Qx79VXzh3QQ00U64:xpFDCqmjHe2FCvdnsDMZVhCXx
Score

10^/10

vidar xmrig defense_evasion discovery execution miner persistence stealer upx
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2