General
-
Target
https://google.com
-
Sample
250216-hmmedaxmdk
Malware Config
Extracted
vidar
https://t.me/b4cha00
https://steamcommunity.com/profiles/76561199825403037
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0
Targets
-
-
Target
https://google.com
Score10/10-
Detect Vidar Stealer
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Stops running service(s)
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
A potential corporate email address has been identified in the URL: [email protected]
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Modify Authentication Process
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Modify Authentication Process
1Modify Registry
4Subvert Trust Controls
1SIP and Trust Provider Hijacking
1