vidar

General

Target

Wave.zip
Size

2.9MB
Sample

250222-rq8apa1mw5
MD5

2d7379bd161a17bda3775ef2d72c3fab
SHA1

9be2ba8e56ea544364e0dd598fe38b5ec9f7f4d2
SHA256

cebe30d28433cf7a019c10933548a0e183e97c12319b709776dab87de169cad5
SHA512

4d072db7127c46b8bf83a77f2dbb9c60c7d28b7e81f50c6450cbabd99f76376c345b4b310a81f1bc98e96dbf3b17a97167d1e1b25b13c892732bcfb86039bae7
SSDEEP

49152:nfEkBcsjT/TcQvOVnFjfy/AMWQ1XyGZGhLPJhJkwNmRTsfVbJ95hPqYwAqDM:hBcsjfFvWFTyZXhfGpJhJ3A5e9J9v1Hn

Score

10^/10

Malware Config

Extracted

Family

vidar

C2

https://t.me/g02f04

https://steamcommunity.com/profiles/76561199828130190

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Targets

- Target
  
  Wave.exe
- Size
  
  1.5MB
- MD5
  
  213835216a59774af93e0075650b198d
- SHA1
  
  cda7acbb3b495b53cc4fc86d16a4ee1c658feffd
- SHA256
  
  40d48d8ae0be35106268e3a456c7d84c31259cd028456064afb89bf09740e09d
- SHA512
  
  b89f3ef8de0b7e185d6749bbf530c9efb4cbfcae9021e0eeb672466bdefa046add98c110e65d5b4ad884978e6047b402c59609f12027e9adf23740a90f7f8140
- SSDEEP
  
  24576:6tVu8vacLzYBurM1sPJ5MbVfeAaDFGK8M5NIH9cd7+eUYa6GPdwr+k4+g3TjDL7:GVuvclrMz1eA3K8mcYNirBk4+YTjDL
Score

10^/10

vidar discovery stealer credential_access spyware
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  d3d9.dll
- Size
  
  1.8MB
- MD5
  
  7b7447b345be7891c781915ffb1f4dce
- SHA1
  
  891a05f75b952880136426f409435ece5d5b7a0c
- SHA256
  
  91e0b91a628c32113dbffd820cbe219a55f54d68b4aedbdcc849c70ee3772223
- SHA512
  
  8976d11781f610360b5c2aad70648107bdbdc1c99cd6a1c146162743312dea56f8a6b0ba35dc040c1a098369eac13a055c7a8157de8611d34b4e79d2c2b213e8
- SSDEEP
  
  24576:1SwHWp3qWhlDzf6uNEQbaYv2KUYPMQlZh9OPXwBxNcBWgskrh8j/2L+qblg9nP:12p3qWjzf6uaYv25LKxH4skdL+qblg9
Score

1^/10
behavioral3
- Target
  
  d3dx9_24.dll
- Size
  
  3.4MB
- MD5
  
  b165df72e13e6af74d47013504319921
- SHA1
  
  c45b192cf8904b7579bbc26c799aa7ffa5cbb1d4
- SHA256
  
  1ec422bd6421c741eef57847260967f215913649901e21dd9c46eb1b3bb10906
- SHA512
  
  859b6cd538735e5cc1c44f63d66b25588ad1ad32202cae606ff95b8c4a80f6a66db9ef7c5d43820010de9334b8bbbfb079939ce89ba0b760f5d651d7fa8268ed
- SSDEEP
  
  49152:oKcfEwqx3mAEXywKYlip1rq1UzMYdBf4Uhn6bZy4rW4uosdBxn7LFU:O8f3R4YN6SrhBpLFU
Score

1^/10
behavioral4 behavioral5
- Target
  
  vcruntime140_1.dll
- Size
  
  48KB
- MD5
  
  7e986e7469d9ab3b1138353418da1793
- SHA1
  
  77903692aae688f6d5b04511d5006c66ce4daf8b
- SHA256
  
  0e560532e721b6938dafe4055eedd0251ba5eb5994cd96937cebbcf16a7ddae5
- SHA512
  
  6c8951ae9a0e329cf32eed8bf32bd83294e7a1cf7f16dd716cedbed4caf39e56e62c5f639091f9711922443ada7dbc61dffcace093211d70a85821f19883cbea
- SSDEEP
  
  768:uzzO6ujT3MbR3vXCz6Sz2q83yvjdsrU9zcgElebe9zVFZ:rq/XU63Cjd9zcZebazDZ
Score

1^/10
behavioral6 behavioral7