vidar | malware[.]7z

Resubmissions

24/03/2025, 00:06

250324-adxjzszzez 10

23/03/2025, 20:32

250323-zbkj3svsc1 10

Sharing

Copy URL

Twitter E-mail

General

Target

malware.7z
Size

688KB
MD5

8f96070ece15d2ac7bd98e89e8f9119b
SHA1

7fa4661d75a2c40d1abe540dcc58f9fe0bba9962
SHA256

fc692e62d466b316c3d0174fdbe6fa6d778e47e29b356a39d9a8f3df1e4a571d
SHA512

14917b01f4083d676cdd7afde76c136c2a4fbed8d1bfad3be850b53dbb2bb3168ab26a9a8c288e203806e89efacae2f943da279636f75c11c9fb9faf22534a01
SSDEEP

12288:8iOQ2snGfsgFZvXGHlaMUM5X/uOIPGzDbWoKtEnImpOPySv6eeRPPHsrmI8qzLPT:3DG0gFZfGHltDPujPqu2Pp8yVRPPAjvT

Score

10^/10

stealer 651 vidar

Malware Config

Extracted

Family

vidar

Version

28.3

Botnet

651

http://manillamemories.com/

Attributes

profile_id
651

Signatures

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
static1/unpack001/1	family_vidar

Vidar family
vidar

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/0
unpack001/1
unpack001/3

Files

malware.7z
.7z

Password: infected
0
.exe windows:5 windows x86 arch:x86

Password: infected

fd6e2d905392a4911591f53458632d22

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

AllocConsole
lstrcpynA
InterlockedDecrement
SetDefaultCommConfigW
GetEnvironmentStringsW
GetModuleHandleW
ActivateActCtx
GetConsoleCP
GlobalAlloc
SetFileShortNameW
GetSystemPowerStatus
GetCalendarInfoA
ReadProcessMemory
lstrlenW
GetProcAddress
HeapUnlock
ResetEvent
LocalAlloc
HeapLock
GetOEMCP
VirtualProtect
FindActCtxSectionStringW
CommConfigDialogW
DeleteFileA
GetFileAttributesW
CreateMutexW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCommandLineA
GetStartupInfoA
RtlUnwind
HeapAlloc
GetLastError
HeapFree
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
Sleep
HeapSize
ExitProcess
EnterCriticalSection
LeaveCriticalSection
SetHandleCount
GetStdHandle
GetFileType
DeleteCriticalSection
SetFilePointer
WriteFile
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetConsoleMode
GetCPInfo
GetACP
IsValidCodePage
VirtualAlloc
HeapReAlloc
LoadLibraryA
InitializeCriticalSectionAndSpinCount
CloseHandle
CreateFileA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
FlushFileBuffers
SetEndOfFile
GetProcessHeap
ReadFile

advapi32

AdjustTokenPrivileges

Sections

.text
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 336KB - Virtual size: 46.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 57KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
1
.exe windows:5 windows x86 arch:x86

Password: infected

50ac3d5cf691b8bce399538f4883f0ad

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateDirectoryA
GetLastError
CreateMutexA
CloseHandle
WriteFile
CreateFileA
MultiByteToWideChar
ReadFile
GetFileSize
GetVersionExA
GetFileSizeEx
Process32Next
Process32First
CreateToolhelp32Snapshot
TerminateProcess
OpenProcess
GetProcAddress
LoadLibraryA
FileTimeToSystemTime
FreeLibrary
GetPrivateProfileSectionNamesA
lstrcatA
GetFileAttributesW
InitializeCriticalSection
InterlockedCompareExchange
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
AreFileApisANSI
SetFilePointer
SetEndOfFile
FlushFileBuffers
UnlockFile
LockFile
LockFileEx
UnlockFileEx
GetFileAttributesA
GetFileAttributesExW
SetCurrentDirectoryA
QueryPerformanceCounter
GetTickCount
GetSystemTime
CopyFileW
UnmapViewOfFile
GetTempPathA
GetTempPathW
FormatMessageA
FormatMessageW
GetFullPathNameA
GetFullPathNameW
GetDiskFreeSpaceA
GetDiskFreeSpaceW
CreateFileW
GetSystemInfo
MapViewOfFile
CreateFileMappingA
GetComputerNameA
IsWow64Process
GetCurrentProcess
GlobalMemoryStatus
GetModuleHandleA
GetUserDefaultLocaleName
TzSpecificLocalTimeToSystemTime
GetTimeZoneInformation
GetLocaleInfoA
GetFileInformationByHandle
SystemTimeToFileTime
GetLocalTime
CompareStringW
SetStdHandle
IsValidLocale
EnumSystemLocalesA
GetUserDefaultLCID
GetLocaleInfoW
GetStringTypeW
GetModuleFileNameA
GetCurrentProcessId
Sleep
DeleteFileA
ExitProcess
GetLogicalDriveStringsA
GetDriveTypeA
LoadLibraryW
CreateDirectoryW
lstrcpyW
lstrlenA
lstrcatW
FindFirstFileW
lstrcmpW
DeleteFileW
FindNextFileW
FindClose
HeapFree
GetProcessHeap
HeapAlloc
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
SetEnvironmentVariableW
GetConsoleMode
GetConsoleCP
GetModuleFileNameW
IsValidCodePage
LocalFree
LocalAlloc
GetSystemTimeAsFileTime
GetOEMCP
GetACP
HeapCreate
GetFileType
InitializeCriticalSectionAndSpinCount
GetStdHandle
SetHandleCount
HeapSize
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentThreadId
SetLastError
GetModuleHandleW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
IsProcessorFeaturePresent
GetCPInfo
LCMapStringW
GetStartupInfoW
HeapSetInformation
GetCommandLineA
HeapReAlloc
RtlUnwind
RaiseException
DecodePointer
EncodePointer
InterlockedExchange
InterlockedDecrement
InterlockedIncrement
WriteConsoleW

user32

GetSystemMetrics
wsprintfA
EnumDisplayDevicesW
CharToOemA
GetDC
ReleaseDC
GetKeyboardLayoutList
GetDesktopWindow

gdi32

CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateDCA
GetDeviceCaps
CreateCompatibleDC

advapi32

RegOpenKeyExA
RegQueryValueExA
RegEnumKeyExA
GetUserNameA
GetCurrentHwProfileA
RegOpenKeyExW
RegGetValueW
RegCloseKey
RegGetValueA

shell32

SHGetFolderPathA
ShellExecuteA

ole32

CoCreateInstance
CoUninitialize

shlwapi

PathMatchSpecW

crypt32

CryptStringToBinaryA
CryptUnprotectData

psapi

GetModuleFileNameExA
EnumProcessModules
GetModuleBaseNameA

wininet

InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetCloseHandle
InternetSetFilePointer
InternetReadFile
HttpQueryInfoA
HttpAddRequestHeadersA
InternetSetOptionA
InternetOpenA
InternetOpenUrlA

gdiplus

GdipCreateBitmapFromHBITMAP
GdipSaveImageToFile
GdipGetImageEncoders
GdiplusShutdown
GdiplusStartup
GdipCloneImage
GdipDisposeImage
GdipAlloc
GdipGetImageEncodersSize
GdipFree

bcrypt

BCryptDecrypt
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptGenerateSymmetricKey
BCryptSetProperty
BCryptOpenAlgorithmProvider

Sections

.text
Size: 454KB - Virtual size: 453KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 79KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
3
.exe windows:4 windows x86 arch:x86

Password: infected

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 77KB - Virtual size: 77KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 8B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

fd6e2d905392a4911591f53458632d22

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

Sections

.text Size: 44KB - Virtual size: 43KB

.rdata Size: 10KB - Virtual size: 10KB

.data Size: 336KB - Virtual size: 46.7MB

.rsrc Size: 57KB - Virtual size: 57KB

Password: infected

50ac3d5cf691b8bce399538f4883f0ad

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

shlwapi

crypt32

psapi

wininet

gdiplus

bcrypt

Sections

.text Size: 454KB - Virtual size: 453KB

.rdata Size: 79KB - Virtual size: 79KB

.data Size: 10KB - Virtual size: 20KB

Password: infected

Headers

File Characteristics

Sections

CODE Size: 77KB - Virtual size: 77KB

DATA Size: 7KB - Virtual size: 6KB

BSS Size: - Virtual size: 4KB

.idata Size: 4KB - Virtual size: 4KB

.tls Size: - Virtual size: 8B

.rdata Size: 512B - Virtual size: 24B

.reloc Size: 3KB - Virtual size: 3KB

.rsrc Size: 4KB - Virtual size: 3KB

.text
Size: 44KB - Virtual size: 43KB

.rdata
Size: 10KB - Virtual size: 10KB

.data
Size: 336KB - Virtual size: 46.7MB

.rsrc
Size: 57KB - Virtual size: 57KB

.text
Size: 454KB - Virtual size: 453KB

.rdata
Size: 79KB - Virtual size: 79KB

.data
Size: 10KB - Virtual size: 20KB

CODE
Size: 77KB - Virtual size: 77KB

DATA
Size: 7KB - Virtual size: 6KB

BSS
Size: - Virtual size: 4KB

.idata
Size: 4KB - Virtual size: 4KB

.tls
Size: - Virtual size: 8B

.rdata
Size: 512B - Virtual size: 24B

.reloc
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 4KB - Virtual size: 3KB