vidar

Sharing

Copy URL

Twitter E-mail

General

Target

data-Setup.zip
Size

116.2MB
Sample

250210-ylg19svrfz
MD5

73261f78d0e4ba21f39ac38d51f307f1
SHA1

ac32357ab75dc163c04926d2dac3d733c6e49e10
SHA256

c7d2fda303d9928f804d3269d128b216844d9afcb2f533054c8d87e1c6fd4aeb
SHA512

c9d513bba7480f23700fbcc581001402b3d3247cd39fde4f107a0ff0224a4c191dd516678690aefb6c61106c513b2ff651f49235f10ee7886a9bb4d252afc1fe
SSDEEP

3145728:dArgv0TG0kgc/l0Ivny7AEv+b8zliOFf6y/0g77Lsan:dAr00TfkLQAU+b84vG0qD

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice

exe.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice

Extracted

Family

vidar

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Targets

- Target
  
  data-Setup/Setup.exe
- Size
  
  44KB
- MD5
  
  f86507ff0856923a8686d869bbd0aa55
- SHA1
  
  d561b9cdbba69fdafb08af428033c4aa506802f8
- SHA256
  
  94f4fd6f2cb781ae7839ad2ee0322df732c8c7297e62834457662f8cde29dcbb
- SHA512
  
  6c1c073fc09498407b2c6b46d7a7e04c2db3c6f8d68c0dc0775211864c4508c48c2bd92e3849dc3805caacc856f9e31e1eea118661a55f526bfa61638f88c3da
- SSDEEP
  
  384:RozxIpl4504JaAystntGecMJ6gjpS1BO2NjrLVXjW9VBhKigecicWwnWzYDTFu:Rg04PGeZQG2NDVXjWLu1imL
Score

10^/10

vidar adware credential_access discovery execution persistence privilege_escalation spyware stealer
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Blocklisted process makes network request
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3
- Target
  
  data-Setup/data/7za.dll
- Size
  
  284KB
- MD5
  
  a608e5fb266a10174235da5c6d396769
- SHA1
  
  85526701342f9db479578d08a3599cec2e8be321
- SHA256
  
  a05490eea8ce1484cd15302c65803414ee7227fcbdf1a1ed2d4243f583f957df
- SHA512
  
  9e4f4c45e5be9faa7c754dc646213d3a7eb862b9fade96437f285c7d571b96fc3577e12f3768ae88902c52bda2ac3d1976adc32e7145766ea66c50af303efdd5
- SSDEEP
  
  6144:Rm3x2iT42LpOe4+5r7R/nV+yqwBey/M6Yijgzj9Pq7MXJzS/8aN:Rm3x2ik2LF1fIEM6GP9C7MRa
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral4 behavioral5 behavioral6
- Target
  
  data-Setup/data/7za.exe
- Size
  
  828KB
- MD5
  
  426ccb645e50a3143811cfa0e42e2ba6
- SHA1
  
  3c17e212a5fdf25847bc895460f55819bf48b11d
- SHA256
  
  cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567
- SHA512
  
  1ab13e8e6e0ca4ca2039f104d53a5286c4196e930319c4fe374fa3bf415214bb7c7d2a9d8ca677a29c911a356cca19a1cecae16dd4bf840bce725f20de4c8ff2
- SSDEEP
  
  24576:b82Iz/8J9oDionNtypHq6geLmUB1HXBxCbx5MwRv8:bBYUzoDtiqELmW6nR8
Score

8^/10

adware discovery persistence privilege_escalation stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
behavioral7 behavioral8 behavioral9
- Target
  
  data-Setup/data/cacert/LICENSE.url
- Size
  
  73B
- MD5
  
  d4eeff46fd41c739e4653431fe2511c1
- SHA1
  
  f0e013b1593394cf7bb0bc770a7cfc9b2ff95aba
- SHA256
  
  b9954f88a27e8457cefcebd076fa533d037711383f6b28ae489d063ef8c61f79
- SHA512
  
  c0d809e8e561f19a9629931cda0bd8be8c8b919d6926fd63b50512919637a9ee676369d546744f5d1d7aade58dac8f55d23e2421dd24f255ec033ca3f5b001a6
Score

8^/10

adware discovery persistence privilege_escalation stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
behavioral10 behavioral11 behavioral12
- Target
  
  data-Setup/data/extracted_3382/script.ps1
- Size
  
  2KB
- MD5
  
  d11c3a63c5ba659b5fe7b5534cb03df5
- SHA1
  
  d08b1e6af9e5c66454236e5ba64e4c3659db4c47
- SHA256
  
  02fba22cf32e907760e64c7e4bc4803e2b5395a7eef2091f3f0c9c103aaa3187
- SHA512
  
  a62a807f7ec5ca51ae392f10b68f3b6a326ae596ee2fdd4da662e58662142d5842d8e8abf1f7a84aba85ef2b067803733301b769024ae8c7bc3ce625c485b4ec
Score

10^/10

vidar discovery execution spyware stealer credential_access
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral13 behavioral14 behavioral15
- Target
  
  data-Setup/data/extracted_3382/sss.bat
- Size
  
  405B
- MD5
  
  9ca3883fd45a5a455e64704ac6151ac9
- SHA1
  
  e7f89032ce544253a51020d7e894f6919fc35839
- SHA256
  
  c981688479756c987d6207e5804ed2b97fb50dfc80469309646c3f79d5ed05b4
- SHA512
  
  e5746faaae0680f68295db94f3865a7ec56663553d7401f996cce18bdc67ade23aef10c81018da28992e82a8178dc8a567b5b355479c7ceedfb87e46be9efa5a
Score

10^/10

vidar credential_access discovery execution spyware stealer
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral16 behavioral17 behavioral18
- Target
  
  data-Setup/data/gkcc.dll
- Size
  
  38.9MB
- MD5
  
  0303e644cbb68b806e1c5789e695038a
- SHA1
  
  bb18ccffb3896e10202dcdead5b7046d343124b7
- SHA256
  
  eace3c55a3f9b9e70f93ec8bf8398e21d3e0ab11bc387e6a893f1575ec61ec2b
- SHA512
  
  a6c8f76dcb24cd02815bb65d43f710a8552dc9a5f01ffb55fbfb75fdd48e096aa960bc475e82a74662d55ae12fb4e8c31a01d401e03dba82d7da8ae319daab41
- SSDEEP
  
  786432:o7u7kk+g2L3NohqHBImTQOavD9KdnLL7rqrukJmzzdTw:7f+gIyYnQBD9KdLL7rq6osJc
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral19 behavioral20 behavioral21
- Target
  
  data-Setup/data/gkv.dll
- Size
  
  73.4MB
- MD5
  
  e85ede9da3ae5e773f30fd42f880d3c5
- SHA1
  
  933030c3a406b55a0c0b82998322d2a202fd7da4
- SHA256
  
  fdbb45121aebb8c4f888bb5b78a1d6fd2de2d29df9f21c10d3e146c26448cd06
- SHA512
  
  7c113412cd7e31f793b1f6e56d482a5de12b6fd22e70120b44bcb7c3ea40c214b6351b504368f1945fcadc56a5a2ad369e101cf7b0a943903713d419003ec262
- SSDEEP
  
  1572864:nag0wfRLdO6HrqF9xtUaHhWadApEjoNB7dZo1rbgQiW5492pBgk:na2O6HmF9vUacoegov7dq1rbtiqmW
Score

8^/10

discovery adware persistence privilege_escalation stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
behavioral22 behavioral23 behavioral24
- Target
  
  data-Setup/data/libbrotlicommon.a
- Size
  
  131KB
- MD5
  
  f6f075717726d400c4303f20d8ec6af3
- SHA1
  
  82faf929e85d99589be8d006f7c5f2563ea29f6b
- SHA256
  
  1c6a6ff41a2a1ec0bfe8bdfe8e27127fce59e16df88e0b9060e63b11e0a9ddaf
- SHA512
  
  06fefab5a9b8e1e08ee5fd2c359f191e924896593ac70a093765844ebe9218e652f9ec172419e5dbafc4766cabce9aea8d7e5ef4634da3a777f85d9aceca5e4a
- SSDEEP
  
  3072:O4lzbWhNbNL8DXGvVh73pbi0tdpvGJaoZB7PxBX91HU:O4AhdNorGvHdbi09GJR910
Score

8^/10

adware discovery execution persistence privilege_escalation stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
behavioral25 behavioral26 behavioral27
- Target
  
  data-Setup/mapistub.dll
- Size
  
  218KB
- MD5
  
  19f2358e19e6216a1c869fd86cd38df6
- SHA1
  
  ec475b62bd4162615509ed1bf597b670392965e6
- SHA256
  
  fc67d0ecb73cc51baa0f0f1e2a13fc18d8a9bdfca6f5ffaedd61d2c2eb9cb864
- SHA512
  
  c009f5a2a917cd3a4159ac895d0621b433e73997c87cbf50a80e43d55a743aec7ba0681c29066e35afc25c1fa60c6f5a7257c9b6667f8e13722e314e75e0dd48
- SSDEEP
  
  3072:Zm8p8kw7inIg5Vn62MftYdd+CpkRLwX/JGzIlsJFTHEp0nel2yBsKXnOkfU+CO5:kgH6DftYi3RWBNX0cXzCO
Score

8^/10

discovery adware persistence privilege_escalation stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
behavioral28 behavioral29 behavioral30