vidar

Sharing

Copy URL

Twitter E-mail

General

Target

data-Setup.7z
Size

116.3MB
Sample

250210-yfna4avpby
MD5

3152ed0815d3eb095c6e9c8469d99b77
SHA1

addf193abcafc1d6099b787ae7be873c79b4f365
SHA256

b99fa29a917eb26f7dd60427f9d4e261e95e06354e570b0e7f7c759672b9ebe7
SHA512

b7eae4d1cd9c6c3edce37f2601e1f3528689d459c1780558a17ccaa770d189f6413f6b51105dac595d3afb9d95a28c24b7e5a7d0bdcdfd3cb1788fe672e918b4
SSDEEP

3145728:+bjzx3kP0uuE0SWwn8lkUXljGeHS4RG9MGbVOKHntLCJCIXrd:Yz9kP0ut0Pwno1jGeySG9JVgJCIXrd

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice

exe.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice

Extracted

Family

vidar

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Targets

- Target
  
  data-Setup/Setup.exe
- Size
  
  44KB
- MD5
  
  f86507ff0856923a8686d869bbd0aa55
- SHA1
  
  d561b9cdbba69fdafb08af428033c4aa506802f8
- SHA256
  
  94f4fd6f2cb781ae7839ad2ee0322df732c8c7297e62834457662f8cde29dcbb
- SHA512
  
  6c1c073fc09498407b2c6b46d7a7e04c2db3c6f8d68c0dc0775211864c4508c48c2bd92e3849dc3805caacc856f9e31e1eea118661a55f526bfa61638f88c3da
- SSDEEP
  
  384:RozxIpl4504JaAystntGecMJ6gjpS1BO2NjrLVXjW9VBhKigecicWwnWzYDTFu:Rg04PGeZQG2NDVXjWLu1imL
Score

10^/10

vidar adware discovery execution persistence privilege_escalation spyware stealer
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Blocklisted process makes network request
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  data-Setup/data/7za.dll
- Size
  
  284KB
- MD5
  
  a608e5fb266a10174235da5c6d396769
- SHA1
  
  85526701342f9db479578d08a3599cec2e8be321
- SHA256
  
  a05490eea8ce1484cd15302c65803414ee7227fcbdf1a1ed2d4243f583f957df
- SHA512
  
  9e4f4c45e5be9faa7c754dc646213d3a7eb862b9fade96437f285c7d571b96fc3577e12f3768ae88902c52bda2ac3d1976adc32e7145766ea66c50af303efdd5
- SSDEEP
  
  6144:Rm3x2iT42LpOe4+5r7R/nV+yqwBey/M6Yijgzj9Pq7MXJzS/8aN:Rm3x2ik2LF1fIEM6GP9C7MRa
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral2 behavioral3
- Target
  
  data-Setup/data/7za.exe
- Size
  
  828KB
- MD5
  
  426ccb645e50a3143811cfa0e42e2ba6
- SHA1
  
  3c17e212a5fdf25847bc895460f55819bf48b11d
- SHA256
  
  cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567
- SHA512
  
  1ab13e8e6e0ca4ca2039f104d53a5286c4196e930319c4fe374fa3bf415214bb7c7d2a9d8ca677a29c911a356cca19a1cecae16dd4bf840bce725f20de4c8ff2
- SSDEEP
  
  24576:b82Iz/8J9oDionNtypHq6geLmUB1HXBxCbx5MwRv8:bBYUzoDtiqELmW6nR8
Score

3^/10

discovery
behavioral4 behavioral5
- Target
  
  data-Setup/data/cacert/LICENSE.url
- Size
  
  73B
- MD5
  
  d4eeff46fd41c739e4653431fe2511c1
- SHA1
  
  f0e013b1593394cf7bb0bc770a7cfc9b2ff95aba
- SHA256
  
  b9954f88a27e8457cefcebd076fa533d037711383f6b28ae489d063ef8c61f79
- SHA512
  
  c0d809e8e561f19a9629931cda0bd8be8c8b919d6926fd63b50512919637a9ee676369d546744f5d1d7aade58dac8f55d23e2421dd24f255ec033ca3f5b001a6
Score

8^/10

defense_evasion discovery trojan
- Downloads MZ/PE file
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral6 behavioral7
- Target
  
  data-Setup/data/gkcc.dll
- Size
  
  38.9MB
- MD5
  
  0303e644cbb68b806e1c5789e695038a
- SHA1
  
  bb18ccffb3896e10202dcdead5b7046d343124b7
- SHA256
  
  eace3c55a3f9b9e70f93ec8bf8398e21d3e0ab11bc387e6a893f1575ec61ec2b
- SHA512
  
  a6c8f76dcb24cd02815bb65d43f710a8552dc9a5f01ffb55fbfb75fdd48e096aa960bc475e82a74662d55ae12fb4e8c31a01d401e03dba82d7da8ae319daab41
- SSDEEP
  
  786432:o7u7kk+g2L3NohqHBImTQOavD9KdnLL7rqrukJmzzdTw:7f+gIyYnQBD9KdLL7rq6osJc
Score

8^/10

adware discovery persistence privilege_escalation stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
behavioral8 behavioral9
- Target
  
  data-Setup/data/gkv.dll
- Size
  
  73.4MB
- MD5
  
  e85ede9da3ae5e773f30fd42f880d3c5
- SHA1
  
  933030c3a406b55a0c0b82998322d2a202fd7da4
- SHA256
  
  fdbb45121aebb8c4f888bb5b78a1d6fd2de2d29df9f21c10d3e146c26448cd06
- SHA512
  
  7c113412cd7e31f793b1f6e56d482a5de12b6fd22e70120b44bcb7c3ea40c214b6351b504368f1945fcadc56a5a2ad369e101cf7b0a943903713d419003ec262
- SSDEEP
  
  1572864:nag0wfRLdO6HrqF9xtUaHhWadApEjoNB7dZo1rbgQiW5492pBgk:na2O6HmF9vUacoegov7dq1rbtiqmW
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral10 behavioral11
- Target
  
  data-Setup/data/libbrotlicommon.a
- Size
  
  131KB
- MD5
  
  f6f075717726d400c4303f20d8ec6af3
- SHA1
  
  82faf929e85d99589be8d006f7c5f2563ea29f6b
- SHA256
  
  1c6a6ff41a2a1ec0bfe8bdfe8e27127fce59e16df88e0b9060e63b11e0a9ddaf
- SHA512
  
  06fefab5a9b8e1e08ee5fd2c359f191e924896593ac70a093765844ebe9218e652f9ec172419e5dbafc4766cabce9aea8d7e5ef4634da3a777f85d9aceca5e4a
- SSDEEP
  
  3072:O4lzbWhNbNL8DXGvVh73pbi0tdpvGJaoZB7PxBX91HU:O4AhdNorGvHdbi09GJR910
Score

8^/10

execution discovery
- Downloads MZ/PE file
behavioral12 behavioral13
- Target
  
  data-Setup/mapistub.dll
- Size
  
  218KB
- MD5
  
  19f2358e19e6216a1c869fd86cd38df6
- SHA1
  
  ec475b62bd4162615509ed1bf597b670392965e6
- SHA256
  
  fc67d0ecb73cc51baa0f0f1e2a13fc18d8a9bdfca6f5ffaedd61d2c2eb9cb864
- SHA512
  
  c009f5a2a917cd3a4159ac895d0621b433e73997c87cbf50a80e43d55a743aec7ba0681c29066e35afc25c1fa60c6f5a7257c9b6667f8e13722e314e75e0dd48
- SSDEEP
  
  3072:Zm8p8kw7inIg5Vn62MftYdd+CpkRLwX/JGzIlsJFTHEp0nel2yBsKXnOkfU+CO5:kgH6DftYi3RWBNX0cXzCO
Score

5^/10
- Drops file in System32 directory
behavioral14 behavioral15