Overview

overview

10

Static

static

1

random.exe

windows7-x64

10

random.exe

windows10-2004-x64

10

$TEMP/Cm.potm

windows7-x64

3

$TEMP/Cm.potm

windows10-2004-x64

1

$TEMP/Contents.potm

windows7-x64

3

$TEMP/Contents.potm

windows10-2004-x64

1

$TEMP/Cont...g.potm

windows7-x64

3

$TEMP/Cont...g.potm

windows10-2004-x64

1

$TEMP/Elementary.potm

windows7-x64

3

$TEMP/Elementary.potm

windows10-2004-x64

3

$TEMP/Templates.potm

windows7-x64

3

$TEMP/Templates.potm

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    random.exe

  • Size

    899KB

  • Sample

    250207-swz2yaxpbp

  • MD5

    1e854cc21a0a1e0d4529eafa30f00c46

  • SHA1

    7d46238f771042bee22b70555e69fbbecc556737

  • SHA256

    435eaccabde5605bb4d9a13ae054c63dd4e5ad61025e0515702e8121cf0a9598

  • SHA512

    278a7cee7819d5cc685dd9c075639968798341bac23718b15441d3b9b0d723eb7836e0329c5c5f096f54dcce826e8ea871d033385b72464637391a14b61f33fb

  • SSDEEP

    24576:vZzss7nmV+EsC9s50bHp4H2gS1YuzusJGuYco03ddH:BI49EsqDH+cTG2NdH

Score
10/10
vidarcredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Targets

    • Target

      random.exe

    • Size

      899KB

    • MD5

      1e854cc21a0a1e0d4529eafa30f00c46

    • SHA1

      7d46238f771042bee22b70555e69fbbecc556737

    • SHA256

      435eaccabde5605bb4d9a13ae054c63dd4e5ad61025e0515702e8121cf0a9598

    • SHA512

      278a7cee7819d5cc685dd9c075639968798341bac23718b15441d3b9b0d723eb7836e0329c5c5f096f54dcce826e8ea871d033385b72464637391a14b61f33fb

    • SSDEEP

      24576:vZzss7nmV+EsC9s50bHp4H2gS1YuzusJGuYco03ddH:BI49EsqDH+cTG2NdH

    Score
    10/10
    vidarcredential_accessdiscoveryspywarestealer

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

    • Target

      $TEMP/Cm.potm

    • Size

      88KB

    • MD5

      ea946bdf2f84accd7dfef4aadd7ceba0

    • SHA1

      2b3e2257cb4132924adb6ffdf79c64ecd2e1bde7

    • SHA256

      2625c1467ac13734c7ac9d6440113895a5166f913fb6a48ccc3b1b479d1cbda3

    • SHA512

      7f3f9ca44c1ffec0f0b6b419d043c2f8547002e0d2139848787d077976591f01a9e77b960d95ae886ec4d9030293740d2f551851b053e827ffb8a00c6c810953

    • SSDEEP

      1536:FBEWBgbj9gAmdo5kJjAGEER3tSzZ8ezFvt7KbyjPeC5M6WQRD1+3KmvvyCUS0T:FBnBMj9gAmdfjAAR3tSzlt7k2mC5MNiZ

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $TEMP/Contents.potm

    • Size

      68KB

    • MD5

      3f570eacdb34cdf2de5cdf884b66a478

    • SHA1

      795922094e89040c2a901098dba1275f122f6e90

    • SHA256

      9fc76a453901a25a61c23c355bb8ffba38698fa841cfc2732c0de803a7167a52

    • SHA512

      dea0c493792e13d3e1f9bf64c884dd9b575f0dcd2aadf3a004ffa5c62d5c2b0488b4fb670c5bdbd8f2a5c7da0254c5fc3109255a0ac29831176683b6dc4f921a

    • SSDEEP

      1536:KfkIU5FNmhdjRtbgOD+FkkZG+aA45t1GIlNIdtyVG:GCYd1tl++FA2LIfOG

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      $TEMP/Contributing.potm

    • Size

      57KB

    • MD5

      58324423292aba1fe85ce884cc359575

    • SHA1

      79727d862731765ef1edabb4a42f8c315d525968

    • SHA256

      10353a8e746724e0238c59ffe82f8148241a9fd4788f8929e7e8985671a211e9

    • SHA512

      ec93064e909ee1aad291c59f09b3c1abb5afefeb4a988df29247aff1551c9525708068e4fb0d72014c6e207efc4e0bb656521be47f46c4b9a61c14034935fa48

    • SSDEEP

      1536:/UYozsxmkL/FfuHGBt2sfEmAuNBWXp2Hi0Hfd5IQIB0:15LwitBAMri0j80

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      $TEMP/Elementary.potm

    • Size

      10KB

    • MD5

      6d2e9bdc77ef7d4073fe0a23d24b7346

    • SHA1

      33045b56a62059a14756b961a8e4220a09fb035c

    • SHA256

      6e44faaef0ad7290e3ecbeec66dde3b959460d650f252b62e6a294758d512313

    • SHA512

      8c8d7edcda2c371c06a6bc882e056163e072a40b15df581bd7c7558d5bebf0e67dba3695855c9ad213cf17838f7cee3a340fb7222e0ddfec84b8fb21f999cbf4

    • SSDEEP

      192:BQqHXkgs51sA3CF/jgDVyDg3UN+ka3u5thAfauqRF0NBBSyxzGm:WoXkgfqRyE373u5/ADqGTDxr

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      $TEMP/Templates.potm

    • Size

      42KB

    • MD5

      d685b3edf1832219412c49c1849c909d

    • SHA1

      40a8faa278c5f2e815b7d4995f77976503a93bd1

    • SHA256

      0012725c1b11f84029a45d7fbbc3a828acc9528b23ef8d56ffa11d6f9666373a

    • SHA512

      7fdf0b5e25293bdc6146497e28605c76cdb803d3edb7b509b582a3df7b5695384237dbbcf08ea25d8cfa21c0029ea7392dc34100e2c40ea52083cee6b6259d38

    • SSDEEP

      768:/HEePNhNpjwMOiNS+qm3kzSeYZZBrYanLpeNdmje7NFNu1PEM6IUJiy:PRtd3SzSEiZZBrYanNeNumNWB6Ik

    Score
    3/10
    discovery
    behavioral11behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

1
T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

1
T1556

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Exfiltration

Impact

Tasks