Overview

overview

10

Static

static

3

S0FTWARE.rar

windows7-x64

1

S0FTWARE.rar

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    S0FTWARE.rar

  • Size

    17.1MB

  • Sample

    250206-vczyyasndj

  • MD5

    4f4d6b8038f0161743a0417cf4075e3a

  • SHA1

    5af34fbd37ebd0ff8061a0f8d7cb513ab56cebf2

  • SHA256

    b6fc49b8355a266c4914ebdb0ed7f00820c393bd5c1f136049480e08e8af4309

  • SHA512

    6b3a9c8c567a6fb445bfdb13e51537aea77fedbe5b471b0889815eb782791f15e6b1e4a0d4e7a850d29e86f078b65e8e7ecd0e4e4de8cd1ce8b8b2fcba5647a8

  • SSDEEP

    393216:bvw+bRdjNzBnHt+XhuNADR2zZHtE12RFeWkXn9fD+dIKVBtcbNlfHX0W7v:bvwuRPzBnHt+0SF2dHtEgv2n9fydIKVA

Score
10/10
vidarxmrigdefense_evasiondiscoveryexecutionminerpersistencestealerupx

Malware Config

Extracted

Family

vidar

C2

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Targets

    • Target

      S0FTWARE.rar

    • Size

      17.1MB

    • MD5

      4f4d6b8038f0161743a0417cf4075e3a

    • SHA1

      5af34fbd37ebd0ff8061a0f8d7cb513ab56cebf2

    • SHA256

      b6fc49b8355a266c4914ebdb0ed7f00820c393bd5c1f136049480e08e8af4309

    • SHA512

      6b3a9c8c567a6fb445bfdb13e51537aea77fedbe5b471b0889815eb782791f15e6b1e4a0d4e7a850d29e86f078b65e8e7ecd0e4e4de8cd1ce8b8b2fcba5647a8

    • SSDEEP

      393216:bvw+bRdjNzBnHt+XhuNADR2zZHtE12RFeWkXn9fD+dIKVBtcbNlfHX0W7v:bvwuRPzBnHt+0SF2dHtEgv2n9fydIKVA

    Score
    10/10
    vidarxmrigdefense_evasiondiscoveryexecutionminerpersistencestealerupx

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks