Extracted

• • Target

    S0FTWARE.exe

  • Size

    232KB

  • MD5

    fbd1b32c4c62e90e0cf1645f88eed890

  • SHA1

    358075963f0c935cdb7eeeec1bd7a49569d880f2

  • SHA256

    d0055eec7bf7cc140098e2a37cca3a3ee9c374326279c5ba6e8f4bd9ae3dcd75

  • SHA512

    a44135fd7de05db9e3e2c3bfa94c0144a60c33cbfdba0e20632384feb9cbe05469d5f8b499146f98af4a76a8b070b9db441309746e34ed4b351cd7c586bfa70b

  • SSDEEP

    3072:2A4WSt2GdSB+vsoFJL4BBcZIdEt/UvDmeNNMbXdOolXFVf5nSj1VrHsMdJ9MQ8m:A2Gde+vsoFJL4BSWdEt/K6eNw51rn02

  Score

  10^/10

  executionvidarcredential_accessdiscoveryspywarestealer

  • Detect Vidar Stealer

    stealer

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar family

    vidar

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  behavioral1behavioral2