Extracted

• • Target

    pobrane - 2025-01-22T144753.630.png

  • Size

    25.5MB

  • MD5

    5584b75e2868dc44cf3f1500c8a3a805

  • SHA1

    51e1898117cec1747fb99c16a17f1c8265f3f1ba

  • SHA256

    220605c1327e47346db175087394962866306f2f39a94b77380c6c9a4a1682bd

  • SHA512

    6ff01d10238430a6ed0e67fa231e1e7d8644ed3a1460c472acb27865bfc3515138a0d5af37870285519164225b314142cc8337299662a490015fd615b3b723c0

  • SSDEEP

    393216:EtKuye0RDDietZDgKAbNwKsu7z7xx3KsEU0ZTdJGDgFNcU7Rcfdyy/xaAT3FHGGT:Pg+Dh3WNBvKUwxJIcfRgy2PFVEIcBk

  Score

  10^/10

  vidaradwarecredential_accessdiscoverypersistenceprivilege_escalationstealer

  • Detect Vidar Stealer

    stealer

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar family

    vidar

  • Blocklisted process makes network request

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Drops desktop.ini file(s)

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2