vidar | eb7593118f659dce4e1ef47eef2d465070c8cde955696f1f4925ff0076a54e3e | Triage

Submit
Reports

Overview

overview

Static

static

1

config.js

windows7-x64

8

config.js

windows10-2004-x64

Sharing

General

Target

config.js
Size

4KB
Sample

250218-wpvenawp12
MD5

b50f09dd1b24a4873bf0f24447ede431
SHA1

4a32f009ae0f2988ccbe0994cd3e8720428891db
SHA256

eb7593118f659dce4e1ef47eef2d465070c8cde955696f1f4925ff0076a54e3e
SHA512

c99cb30f2f894ec9770638d3a0e662941bc5112c226ef0096fdd4b7ceda8541ba572602fa139c335db9cbf113937455170b73d04174cb8ef6674758f99876036
SSDEEP

96:ZqF9oamAr0aIuSg42sEi6EkuzwQYwld9dyLh9gZsLvsFgl:ZqFyQr0jgjs9lhzw8OgiLegl

Score

10^/10

vidar credential_access discovery execution spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

config.js

Resource

win7-20240903-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

config.js

Resource

win10v2004-20250217-en

vidar credential_access discovery execution spyware stealer

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Extracted

Family

vidar

C2

https://t.me/g02f04

https://steamcommunity.com/profiles/76561199828130190

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Targets

- Target
  
  config.js
- Size
  
  4KB
- MD5
  
  b50f09dd1b24a4873bf0f24447ede431
- SHA1
  
  4a32f009ae0f2988ccbe0994cd3e8720428891db
- SHA256
  
  eb7593118f659dce4e1ef47eef2d465070c8cde955696f1f4925ff0076a54e3e
- SHA512
  
  c99cb30f2f894ec9770638d3a0e662941bc5112c226ef0096fdd4b7ceda8541ba572602fa139c335db9cbf113937455170b73d04174cb8ef6674758f99876036
- SSDEEP
  
  96:ZqF9oamAr0aIuSg42sEi6EkuzwQYwld9dyLh9gZsLvsFgl:ZqFyQr0jgjs9lhzw8OgiLegl
Score

10^/10

execution vidar credential_access discovery spyware stealer
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Modify Authentication Process

Privilege Escalation

Defense Evasion

Modify Authentication Process

Credential Access

Modify Authentication Process

Steal Web Session Cookie

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

vidarcredential_accessdiscoveryexecutionspywarestealer

© 2018-2025

Terms | Privacy