Overview

overview

10

Static

static

10

data-Setup/Setup.exe

windows10-2004-x64

10

data-Setup...za.dll

windows7-x64

3

data-Setup...za.dll

windows10-2004-x64

3

data-Setup...za.exe

windows7-x64

3

data-Setup...za.exe

windows10-2004-x64

3

data-Setup...SE.url

windows7-x64

6

data-Setup...SE.url

windows10-2004-x64

3

data-Setup...pt.ps1

windows7-x64

10

data-Setup...pt.ps1

windows10-2004-x64

10

data-Setup...ss.bat

windows7-x64

10

data-Setup...ss.bat

windows10-2004-x64

10

data-Setup...cc.dll

windows7-x64

1

data-Setup...cc.dll

windows10-2004-x64

1

data-Setup...kv.dll

windows7-x64

1

data-Setup...kv.dll

windows10-2004-x64

1

data-Setup...mon.js

windows7-x64

3

data-Setup...mon.js

windows10-2004-x64

3

data-Setup...ub.dll

windows7-x64

5

data-Setup...ub.dll

windows10-2004-x64

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    data-Setup.zip

  • Size

    116.2MB

  • Sample

    250224-14c65szqw2

  • MD5

    73261f78d0e4ba21f39ac38d51f307f1

  • SHA1

    ac32357ab75dc163c04926d2dac3d733c6e49e10

  • SHA256

    c7d2fda303d9928f804d3269d128b216844d9afcb2f533054c8d87e1c6fd4aeb

  • SHA512

    c9d513bba7480f23700fbcc581001402b3d3247cd39fde4f107a0ff0224a4c191dd516678690aefb6c61106c513b2ff651f49235f10ee7886a9bb4d252afc1fe

  • SSDEEP

    3145728:dArgv0TG0kgc/l0Ivny7AEv+b8zliOFf6y/0g77Lsan:dAr00TfkLQAU+b84vG0qD

Score
10/10
vidarir7amcredential_accessdefense_evasiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice
exe.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice

Extracted

Family

vidar

Botnet

ir7am

C2

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Targets

    • Target

      data-Setup/Setup.exe

    • Size

      44KB

    • MD5

      f86507ff0856923a8686d869bbd0aa55

    • SHA1

      d561b9cdbba69fdafb08af428033c4aa506802f8

    • SHA256

      94f4fd6f2cb781ae7839ad2ee0322df732c8c7297e62834457662f8cde29dcbb

    • SHA512

      6c1c073fc09498407b2c6b46d7a7e04c2db3c6f8d68c0dc0775211864c4508c48c2bd92e3849dc3805caacc856f9e31e1eea118661a55f526bfa61638f88c3da

    • SSDEEP

      384:RozxIpl4504JaAystntGecMJ6gjpS1BO2NjrLVXjW9VBhKigecicWwnWzYDTFu:Rg04PGeZQG2NDVXjWLu1imL

    Score
    10/10
    vidarir7amcredential_accessdiscoveryexecutionspywarestealer

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      data-Setup/data/7za.dll

    • Size

      284KB

    • MD5

      a608e5fb266a10174235da5c6d396769

    • SHA1

      85526701342f9db479578d08a3599cec2e8be321

    • SHA256

      a05490eea8ce1484cd15302c65803414ee7227fcbdf1a1ed2d4243f583f957df

    • SHA512

      9e4f4c45e5be9faa7c754dc646213d3a7eb862b9fade96437f285c7d571b96fc3577e12f3768ae88902c52bda2ac3d1976adc32e7145766ea66c50af303efdd5

    • SSDEEP

      6144:Rm3x2iT42LpOe4+5r7R/nV+yqwBey/M6Yijgzj9Pq7MXJzS/8aN:Rm3x2ik2LF1fIEM6GP9C7MRa

    Score
    3/10
    discovery
    behavioral2behavioral3

    • Target

      data-Setup/data/7za.exe

    • Size

      828KB

    • MD5

      426ccb645e50a3143811cfa0e42e2ba6

    • SHA1

      3c17e212a5fdf25847bc895460f55819bf48b11d

    • SHA256

      cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567

    • SHA512

      1ab13e8e6e0ca4ca2039f104d53a5286c4196e930319c4fe374fa3bf415214bb7c7d2a9d8ca677a29c911a356cca19a1cecae16dd4bf840bce725f20de4c8ff2

    • SSDEEP

      24576:b82Iz/8J9oDionNtypHq6geLmUB1HXBxCbx5MwRv8:bBYUzoDtiqELmW6nR8

    Score
    3/10
    discovery
    behavioral4behavioral5

    • Target

      data-Setup/data/cacert/LICENSE.url

    • Size

      73B

    • MD5

      d4eeff46fd41c739e4653431fe2511c1

    • SHA1

      f0e013b1593394cf7bb0bc770a7cfc9b2ff95aba

    • SHA256

      b9954f88a27e8457cefcebd076fa533d037711383f6b28ae489d063ef8c61f79

    • SHA512

      c0d809e8e561f19a9629931cda0bd8be8c8b919d6926fd63b50512919637a9ee676369d546744f5d1d7aade58dac8f55d23e2421dd24f255ec033ca3f5b001a6

    Score
    6/10
    defense_evasiondiscoverytrojan
    behavioral6behavioral7

    • Target

      data-Setup/data/extracted_3382/script.ps1

    • Size

      2KB

    • MD5

      d11c3a63c5ba659b5fe7b5534cb03df5

    • SHA1

      d08b1e6af9e5c66454236e5ba64e4c3659db4c47

    • SHA256

      02fba22cf32e907760e64c7e4bc4803e2b5395a7eef2091f3f0c9c103aaa3187

    • SHA512

      a62a807f7ec5ca51ae392f10b68f3b6a326ae596ee2fdd4da662e58662142d5842d8e8abf1f7a84aba85ef2b067803733301b769024ae8c7bc3ce625c485b4ec

    Score
    10/10
    vidarir7amcredential_accessdiscoveryexecutionspywarestealer

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral8behavioral9

    • Target

      data-Setup/data/extracted_3382/sss.bat

    • Size

      405B

    • MD5

      9ca3883fd45a5a455e64704ac6151ac9

    • SHA1

      e7f89032ce544253a51020d7e894f6919fc35839

    • SHA256

      c981688479756c987d6207e5804ed2b97fb50dfc80469309646c3f79d5ed05b4

    • SHA512

      e5746faaae0680f68295db94f3865a7ec56663553d7401f996cce18bdc67ade23aef10c81018da28992e82a8178dc8a567b5b355479c7ceedfb87e46be9efa5a

    Score
    10/10
    vidarir7amcredential_accessdiscoveryexecutionspywarestealer

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral10behavioral11

    • Target

      data-Setup/data/gkcc.dll

    • Size

      38.9MB

    • MD5

      0303e644cbb68b806e1c5789e695038a

    • SHA1

      bb18ccffb3896e10202dcdead5b7046d343124b7

    • SHA256

      eace3c55a3f9b9e70f93ec8bf8398e21d3e0ab11bc387e6a893f1575ec61ec2b

    • SHA512

      a6c8f76dcb24cd02815bb65d43f710a8552dc9a5f01ffb55fbfb75fdd48e096aa960bc475e82a74662d55ae12fb4e8c31a01d401e03dba82d7da8ae319daab41

    • SSDEEP

      786432:o7u7kk+g2L3NohqHBImTQOavD9KdnLL7rqrukJmzzdTw:7f+gIyYnQBD9KdLL7rq6osJc

    Score
    1/10
    behavioral12behavioral13

    • Target

      data-Setup/data/gkv.dll

    • Size

      73.4MB

    • MD5

      e85ede9da3ae5e773f30fd42f880d3c5

    • SHA1

      933030c3a406b55a0c0b82998322d2a202fd7da4

    • SHA256

      fdbb45121aebb8c4f888bb5b78a1d6fd2de2d29df9f21c10d3e146c26448cd06

    • SHA512

      7c113412cd7e31f793b1f6e56d482a5de12b6fd22e70120b44bcb7c3ea40c214b6351b504368f1945fcadc56a5a2ad369e101cf7b0a943903713d419003ec262

    • SSDEEP

      1572864:nag0wfRLdO6HrqF9xtUaHhWadApEjoNB7dZo1rbgQiW5492pBgk:na2O6HmF9vUacoegov7dq1rbtiqmW

    Score
    1/10
    behavioral14behavioral15

    • Target

      data-Setup/data/libbrotlicommon.a

    • Size

      131KB

    • MD5

      f6f075717726d400c4303f20d8ec6af3

    • SHA1

      82faf929e85d99589be8d006f7c5f2563ea29f6b

    • SHA256

      1c6a6ff41a2a1ec0bfe8bdfe8e27127fce59e16df88e0b9060e63b11e0a9ddaf

    • SHA512

      06fefab5a9b8e1e08ee5fd2c359f191e924896593ac70a093765844ebe9218e652f9ec172419e5dbafc4766cabce9aea8d7e5ef4634da3a777f85d9aceca5e4a

    • SSDEEP

      3072:O4lzbWhNbNL8DXGvVh73pbi0tdpvGJaoZB7PxBX91HU:O4AhdNorGvHdbi09GJR910

    Score
    3/10
    execution
    behavioral16behavioral17

    • Target

      data-Setup/mapistub.dll

    • Size

      218KB

    • MD5

      19f2358e19e6216a1c869fd86cd38df6

    • SHA1

      ec475b62bd4162615509ed1bf597b670392965e6

    • SHA256

      fc67d0ecb73cc51baa0f0f1e2a13fc18d8a9bdfca6f5ffaedd61d2c2eb9cb864

    • SHA512

      c009f5a2a917cd3a4159ac895d0621b433e73997c87cbf50a80e43d55a743aec7ba0681c29066e35afc25c1fa60c6f5a7257c9b6667f8e13722e314e75e0dd48

    • SSDEEP

      3072:Zm8p8kw7inIg5Vn62MftYdd+CpkRLwX/JGzIlsJFTHEp0nel2yBsKXnOkfU+CO5:kgH6DftYi3RWBNX0cXzCO

    Score
    5/10

    • Drops file in System32 directory

    behavioral18behavioral19

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

JavaScript

1
T1059.007

PowerShell

2
T1059.001

Persistence

Modify Authentication Process

1
T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

1
T1556

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks

static1

Score
10/10

behavioral1

vidarir7amcredential_accessdiscoveryexecutionspywarestealer
Score
10/10

behavioral2

discovery
Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

defense_evasiondiscoverytrojan
Score
6/10

behavioral7

discovery
Score
3/10

behavioral8

vidarir7amcredential_accessdiscoveryexecutionspywarestealer
Score
10/10

behavioral9

vidarir7amcredential_accessdiscoveryexecutionspywarestealer
Score
10/10

behavioral10

vidarir7amcredential_accessdiscoveryexecutionspywarestealer
Score
10/10

behavioral11

vidarir7amcredential_accessdiscoveryexecutionspywarestealer
Score
10/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

execution
Score
3/10

behavioral17

execution
Score
3/10

behavioral18

Score
5/10

behavioral19

Score
5/10