Extracted

• • Target

    file.ps1

  • Size

    29B

  • MD5

    726ac161772f83ef4c852d6c3e158e86

  • SHA1

    66b5487d1d873300d241e96fed4e1ba5d8fea2af

  • SHA256

    630f2e9dc252f71613a30aaf3544739785a64f3f6fc96fbcc960511b29e0eced

  • SHA512

    0b103e71e1a6b5ba400981f45ba460290ec97bd424a80ed4675b12aa68e9d3426bc253c5ae63ad4deba146b69a10b8f532c40344e6194482c3cc73bc4ab95910

  Score

  10^/10

  vidarcredential_accessdiscoveryexecutionstealeradwarepersistenceprivilege_escalation

  • Detect Vidar Stealer

    stealer

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar family

    vidar

  • Blocklisted process makes network request

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2