Overview

overview

10

Static

static

3

data-Setup/Setup.exe

windows10-2004-x64

10

data-Setup...za.dll

windows7-x64

3

data-Setup...za.dll

windows10-2004-x64

3

data-Setup...za.exe

windows7-x64

3

data-Setup...za.exe

windows10-2004-x64

3

data-Setup...SE.url

windows7-x64

6

data-Setup...SE.url

windows10-2004-x64

3

data-Setup...cc.dll

windows7-x64

1

data-Setup...cc.dll

windows10-2004-x64

1

data-Setup...kv.dll

windows7-x64

1

data-Setup...kv.dll

windows10-2004-x64

1

data-Setup...mon.js

windows7-x64

3

data-Setup...mon.js

windows10-2004-x64

3

data-Setup...ub.dll

windows7-x64

5

data-Setup...ub.dll

windows10-2004-x64

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Application_x32_x64.rar

  • Size

    115.8MB

  • Sample

    250225-k2565s1qs8

  • MD5

    aa95156b97009ff8f8b052473dd672e6

  • SHA1

    ac7f4e7933d90940444f1a4e754eb8e2901033e8

  • SHA256

    dbc1850dcf3759cfb4a968693c812db1110d693cdfb4f54353a5d6e98637a3cd

  • SHA512

    00435e85561ae44347b6bbee74dda59a646a880a000bd2d3b7d1a31e8f8c81c146579735bedbb8fedcba614998dfbc0747eb65320b2ed3a8f8ec6cd433093a0d

  • SSDEEP

    3145728:u9V7tlK02gSANgXNri1xIzJVIQ8qjS1sUUS+DVLB:kbK0+AuBikXtiCScb

Score
10/10
vidarir7amcredential_accessdefense_evasiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://yaykisobakitop.top/kjlrfejkrfkrerfk3fkfrkerlkfr3ejhkRKFJKERKJFREWKJ34JK34JKDWK/lica
exe.dropper

https://yaykisobakitop.top/kjlrfejkrfkrerfk3fkfrkerlkfr3ejhkRKFJKERKJFREWKJ34JK34JKDWK/lica

Extracted

Family

vidar

Botnet

ir7am

C2

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Targets

    • Target

      data-Setup/Setup.exe

    • Size

      44KB

    • MD5

      f86507ff0856923a8686d869bbd0aa55

    • SHA1

      d561b9cdbba69fdafb08af428033c4aa506802f8

    • SHA256

      94f4fd6f2cb781ae7839ad2ee0322df732c8c7297e62834457662f8cde29dcbb

    • SHA512

      6c1c073fc09498407b2c6b46d7a7e04c2db3c6f8d68c0dc0775211864c4508c48c2bd92e3849dc3805caacc856f9e31e1eea118661a55f526bfa61638f88c3da

    • SSDEEP

      384:RozxIpl4504JaAystntGecMJ6gjpS1BO2NjrLVXjW9VBhKigecicWwnWzYDTFu:Rg04PGeZQG2NDVXjWLu1imL

    Score
    10/10
    vidarir7amcredential_accessdiscoveryexecutionspywarestealer

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      data-Setup/data/7za.dll

    • Size

      284KB

    • MD5

      a608e5fb266a10174235da5c6d396769

    • SHA1

      85526701342f9db479578d08a3599cec2e8be321

    • SHA256

      a05490eea8ce1484cd15302c65803414ee7227fcbdf1a1ed2d4243f583f957df

    • SHA512

      9e4f4c45e5be9faa7c754dc646213d3a7eb862b9fade96437f285c7d571b96fc3577e12f3768ae88902c52bda2ac3d1976adc32e7145766ea66c50af303efdd5

    • SSDEEP

      6144:Rm3x2iT42LpOe4+5r7R/nV+yqwBey/M6Yijgzj9Pq7MXJzS/8aN:Rm3x2ik2LF1fIEM6GP9C7MRa

    Score
    3/10
    discovery
    behavioral2behavioral3

    • Target

      data-Setup/data/7za.exe

    • Size

      828KB

    • MD5

      426ccb645e50a3143811cfa0e42e2ba6

    • SHA1

      3c17e212a5fdf25847bc895460f55819bf48b11d

    • SHA256

      cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567

    • SHA512

      1ab13e8e6e0ca4ca2039f104d53a5286c4196e930319c4fe374fa3bf415214bb7c7d2a9d8ca677a29c911a356cca19a1cecae16dd4bf840bce725f20de4c8ff2

    • SSDEEP

      24576:b82Iz/8J9oDionNtypHq6geLmUB1HXBxCbx5MwRv8:bBYUzoDtiqELmW6nR8

    Score
    3/10
    discovery
    behavioral4behavioral5

    • Target

      data-Setup/data/cacert/LICENSE.url

    • Size

      73B

    • MD5

      d4eeff46fd41c739e4653431fe2511c1

    • SHA1

      f0e013b1593394cf7bb0bc770a7cfc9b2ff95aba

    • SHA256

      b9954f88a27e8457cefcebd076fa533d037711383f6b28ae489d063ef8c61f79

    • SHA512

      c0d809e8e561f19a9629931cda0bd8be8c8b919d6926fd63b50512919637a9ee676369d546744f5d1d7aade58dac8f55d23e2421dd24f255ec033ca3f5b001a6

    Score
    6/10
    defense_evasiondiscoverytrojan
    behavioral6behavioral7

    • Target

      data-Setup/data/gkcc.dll

    • Size

      38.9MB

    • MD5

      0303e644cbb68b806e1c5789e695038a

    • SHA1

      bb18ccffb3896e10202dcdead5b7046d343124b7

    • SHA256

      eace3c55a3f9b9e70f93ec8bf8398e21d3e0ab11bc387e6a893f1575ec61ec2b

    • SHA512

      a6c8f76dcb24cd02815bb65d43f710a8552dc9a5f01ffb55fbfb75fdd48e096aa960bc475e82a74662d55ae12fb4e8c31a01d401e03dba82d7da8ae319daab41

    • SSDEEP

      786432:o7u7kk+g2L3NohqHBImTQOavD9KdnLL7rqrukJmzzdTw:7f+gIyYnQBD9KdLL7rq6osJc

    Score
    1/10
    behavioral8behavioral9

    • Target

      data-Setup/data/gkv.dll

    • Size

      73.4MB

    • MD5

      e85ede9da3ae5e773f30fd42f880d3c5

    • SHA1

      933030c3a406b55a0c0b82998322d2a202fd7da4

    • SHA256

      fdbb45121aebb8c4f888bb5b78a1d6fd2de2d29df9f21c10d3e146c26448cd06

    • SHA512

      7c113412cd7e31f793b1f6e56d482a5de12b6fd22e70120b44bcb7c3ea40c214b6351b504368f1945fcadc56a5a2ad369e101cf7b0a943903713d419003ec262

    • SSDEEP

      1572864:nag0wfRLdO6HrqF9xtUaHhWadApEjoNB7dZo1rbgQiW5492pBgk:na2O6HmF9vUacoegov7dq1rbtiqmW

    Score
    1/10
    behavioral10behavioral11

    • Target

      data-Setup/data/libbrotlicommon.a

    • Size

      131KB

    • MD5

      f6f075717726d400c4303f20d8ec6af3

    • SHA1

      82faf929e85d99589be8d006f7c5f2563ea29f6b

    • SHA256

      1c6a6ff41a2a1ec0bfe8bdfe8e27127fce59e16df88e0b9060e63b11e0a9ddaf

    • SHA512

      06fefab5a9b8e1e08ee5fd2c359f191e924896593ac70a093765844ebe9218e652f9ec172419e5dbafc4766cabce9aea8d7e5ef4634da3a777f85d9aceca5e4a

    • SSDEEP

      3072:O4lzbWhNbNL8DXGvVh73pbi0tdpvGJaoZB7PxBX91HU:O4AhdNorGvHdbi09GJR910

    Score
    3/10
    execution
    behavioral12behavioral13

    • Target

      data-Setup/mapistub.dll

    • Size

      218KB

    • MD5

      19f2358e19e6216a1c869fd86cd38df6

    • SHA1

      ec475b62bd4162615509ed1bf597b670392965e6

    • SHA256

      fc67d0ecb73cc51baa0f0f1e2a13fc18d8a9bdfca6f5ffaedd61d2c2eb9cb864

    • SHA512

      c009f5a2a917cd3a4159ac895d0621b433e73997c87cbf50a80e43d55a743aec7ba0681c29066e35afc25c1fa60c6f5a7257c9b6667f8e13722e314e75e0dd48

    • SSDEEP

      3072:Zm8p8kw7inIg5Vn62MftYdd+CpkRLwX/JGzIlsJFTHEp0nel2yBsKXnOkfU+CO5:kgH6DftYi3RWBNX0cXzCO

    Score
    5/10

    • Drops file in System32 directory

    behavioral14behavioral15

MITRE ATT&CK Enterprise v15

Tasks