vidar

Sharing

Copy URL

Twitter E-mail

General

Target

1a_bin.zip
Size

9.9MB
Sample

250330-n939asx1dx
MD5

06769e1f6b1d46f06b95a31f7926a81c
SHA1

8443761f0aabf1a8f2e68a6847dfc69cc424c97e
SHA256

c33bbc9a04b5d8e0dd321f4c3f4b254bf4b78dbf126767716b9696e6a2fceabe
SHA512

7abd3be15f6c6ca66eb7feba8f8e39dcf2ad07d578e004ba6b3c130738f43165e59521e8ddfa15fe051c36669c9b623e18b133f141cf6c873781acf4e3724363
SSDEEP

196608:wYAn31AbtpT5ylm/SNNy4giLvlN0nv5iTqKaQUJO7rPh1:gn31y7Tym/69LvlN0nvA7jUqD

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

53d7fe95cf5d7ac3815633614e2a92df

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Targets

- Target
  
  1qb_acid.exe
- Size
  
  81KB
- MD5
  
  41c2401a4ecf9c80796e534d388e56cd
- SHA1
  
  e844e6b178ef8191ce189c0e632dc7fdb2947db3
- SHA256
  
  0e5a768a611a4d0ed7cb984b2ee790ad419c6ce0be68c341a2d4f64c531d8122
- SHA512
  
  6f7d365f10b45cc88d8968020f6232974398cc1b46710bf650c5aa162c40d48fef0a035b29fc1b0271d4f69410fbca1b4a4119d816eeec205043175981429071
- SSDEEP
  
  1536:dEV+sOWSnk3uXcieWN8WBnc1br8zlZAHaG8CaWCMp+O7Xg5U:dEV+sFSkMxRnc1br8j0aCCMXL7
Score

10^/10

vidar 53d7fe95cf5d7ac3815633614e2a92df credential_access discovery stealer spyware
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  bbi/Qt5Core.dll
- Size
  
  5.7MB
- MD5
  
  b9f265fdf70eb0f6b51b744ca3a99b16
- SHA1
  
  d152d2c93176d2b9c5e867fbd2ccde5802f812d3
- SHA256
  
  29f02a06beb7cc0126de3bdf24d9e7aebc4f48cd3d28ee3dc450b224d49412be
- SHA512
  
  be37d406e4dc130da59ba7c8ababace6cbcdbcd597903a15e32323503bc55ca21a2d81920aa51c5845161aeb78629d49fc7f6e0cf64d615f226a2c56ff848958
- SSDEEP
  
  98304:mcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwS:RirJylHFb/QMJsv6tWKFdu9CL4xqfg8w
Score

1^/10
behavioral3 behavioral4
- Target
  
  bbi/Qt5Gui.dll
- Size
  
  6.7MB
- MD5
  
  f2881a38a57c53bcecf6bad5e029d6fb
- SHA1
  
  0d20fa11460edb1e40d677def5a25ae1672a923d
- SHA256
  
  aa27149c2328007ee9276ae31b69fd07ca0f264e5dbb023076889dbf963d6098
- SHA512
  
  511b81aa306a4a2b3f419c616d38ccd1e19b380a3f33e4763b0c8772b2c1f0086db825d1953a93c2e6ed6a57018278dd6b0cc470452f7b000b561db2d6bb8f79
- SSDEEP
  
  49152:sVPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2i:mJZzI1ZR3U9Cxc22aDACInVc4k
Score

1^/10
behavioral5 behavioral6
- Target
  
  bbi/Qt5Network.dll
- Size
  
  1.3MB
- MD5
  
  ede0cf8a13a02754b1549d85d03a82c5
- SHA1
  
  ea70334a1c6bcb3fcc67c2da474932adfee3d44d
- SHA256
  
  c4ab7e26a33504d8268b13d8d895b0b0225560a6ff12486cddef9980671c34df
- SHA512
  
  498aa337358cab3539308a06c895377d73a9ea9eb0667166d349f458586ebfe3617d7b17bce1fed5c4187bfb0be9300a0d7b0fd2a174653d063211b83a34ba30
- SSDEEP
  
  24576:DXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEq:L7hXU1U95m4ff9A5RviaRy9NGO
Score

1^/10
behavioral7 behavioral8
- Target
  
  bbi/nbjq1/libEGL.dll
- Size
  
  65KB
- MD5
  
  fe276543cc6ae9c25f58d95d839293f5
- SHA1
  
  4bfea57b0a1393320f1ff4891c990f34a9b27b41
- SHA256
  
  fbdf9675b1ff7e32c8026bfaab2534b9b0302ae3773df24aefa2290915469f2f
- SHA512
  
  b56fe47fd4a7ba2c211fa9518a33af0ba6943082e00de89c596e59a0111c77742e9e0b8113552bc89ae50d29dee6aaa2cdecdfe82443b3bf5c52327e1b2212b2
- SSDEEP
  
  768:x+Ne8iE6s4sgTQ+3lIcXOQPXefmJ+63mzVVx:FbsgE+IixPXhZWh/
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  bbi/nbjq1/libeay32.dll
- Size
  
  2.2MB
- MD5
  
  e22b2e3d650c33c9197f985b7516da70
- SHA1
  
  87fe823dfd9a2ed7596cbfe249318c17e095aeb1
- SHA256
  
  2270871989e6c90df07b3e4630b4c4b6dd0e33e2a23ba3c52a7ff7bc3553304e
- SHA512
  
  84c9ca6f4dd73fb1f426671f937ab0e0210dce0bfb0e48fbb8e0305d31aca97d762a6b462c8daef5092d27b612fd7bfc7a6e3664995eee2ece25598dd3b48af8
- SSDEEP
  
  49152:h/O+JXTGl7CsCgvt/FOdufMgKz0/0Nqwvls9Uf:h/O+JXTGl7CsCgvt/FgufMgKRNqfUf
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  bbi/nbjq1/libgcc_s_dw2-1.dll
- Size
  
  113KB
- MD5
  
  9aec524b616618b0d3d00b27b6f51da1
- SHA1
  
  64264300801a353db324d11738ffed876550e1d3
- SHA256
  
  59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
- SHA512
  
  0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
- SSDEEP
  
  3072:nti6N0WeF35Ro7hAWP6cagLSuf6LG3qSbKE4M:ti6N2F33wGJVuHuE
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  bbi/nbjq1/qtwebengine_resources.pak
- Size
  
  2.2MB
- MD5
  
  14f2f9bd381fb1e1e903304af053137d
- SHA1
  
  aad78b040feeeb82835089b81734ced5697f85b8
- SHA256
  
  5f96bb8b73792ccab961dc06b1190ff2d7aa65e24bbccd806fffca24140cbe9c
- SHA512
  
  cde2f353711c3e51b9dd395e882a19034934606cc2b3ed54fef3e2c966e144356aa00425a07c14bd6c5afcf6fdc56de512b627f38ba2ecfa04b9c1a59e20e8ef
- SSDEEP
  
  49152:6ezFR/f5VhBDew6N/0yD8G1hdAKeBkIBak0xHgryM7PdN:jR/61h8BaJgGMLdN
Score

3^/10

execution
behavioral15 behavioral16
- Target
  
  bbi/nbjq1/qtwebengine_resources_100p.pak
- Size
  
  625KB
- MD5
  
  67f87f033644ec0eb8b7309eb2b1b7ce
- SHA1
  
  bcee3c488f0421f169e2a4881c2c5294871bef3f
- SHA256
  
  7eb8e53261798f00ee583e623ce3d9be107a1f4cf2fc88d667540d230da04708
- SHA512
  
  a41ba465d6cf921818ea7560b31e6ae9ff2a2490f0aa6cf66775cd3b647125a7d98779670a9347311ffcd025cb864de5d6e7c001c6231bda741fbbc3d8940c57
- SSDEEP
  
  6144:CwAkHcSjalRrd0E6mdXRU1CtT5TNhx5c1YC7x10fSucY7OP2ITb:CwAHp5Tbgf1d/db
Score

3^/10

execution
behavioral17 behavioral18
- Target
  
  bbi/nbjq1/qtwebengine_resources_200p.pak
- Size
  
  763KB
- MD5
  
  083950e31e62fd878a63f30d52c8602b
- SHA1
  
  b6af83a0c7c0cb5b93a0cfad57763541ea17e757
- SHA256
  
  deebba302acebfa268b317a57f56ba631325edbf053ff32a8d7832347d1ed44d
- SHA512
  
  08cb70af18347c7917976a928a8617cb3b7c29ed8f4c91840fb81555e0f8388246f4e6b71c9f8a0aa30b0f433f262a29772ae880a54e276794d74ab2aa74e79c
- SSDEEP
  
  6144:lAkHcSjalRrd0E6mdXRU1C/+9bGHgs4jTl+TNNz73QYV85u/oFYvwoytKi6obByb:lAH6egs4jTITDg5u/oFFpxLlFYt
Score

3^/10

execution
behavioral19 behavioral20
- Target
  
  libcares-2.dll
- Size
  
  2.1MB
- MD5
  
  c6665e35ee4d37d977944be4e5104fae
- SHA1
  
  11d9e974117b481d2f64ece309e4050f002e47c2
- SHA256
  
  ba2a1b98cac090216add6204bc86e11257ca323a73d536b2eb158441f48455e8
- SHA512
  
  1be21874d5e4bc2e1880ffa2369333f5a5d6d0d2768501960c860fc117411c1869472e9d0e330f2b6497c944f8b677e3f8fd9108166a3614a002eb615ebf68e5
- SSDEEP
  
  49152:3ON4A6Szfs35ZgtaejeQZyAfqqeYTNB/6/ir+7iGh9OWg17OA:9Ccg
Score

10^/10

vidar 53d7fe95cf5d7ac3815633614e2a92df credential_access discovery spyware stealer
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  nasrallah_x86.dll
- Size
  
  137KB
- MD5
  
  c8fc382361673c38cec30d65b562a1eb
- SHA1
  
  fe5a4c8f9900c4e27d1af9800f142ddbccc1866d
- SHA256
  
  960c6eb1332cfb7bce1bb4388a4e5a2f7265d7b5dbf3f40f64a679e09cd0f621
- SHA512
  
  193db377995dd561718ccee8a9e0ef85f91f4fc8d330f87621eeb01dc3369779e89e24e61001dfb7bdd7d284fd4b659ae638b6d81bbc424f05b305da84bfc69a
- SSDEEP
  
  3072:QVvH8RuVrLyEj/S2CUGACcceJd/klDHa/R8mxu3s8QX8qu:0H8RuRLlzgUd6a/AslX8qu
Score

1^/10
behavioral23 behavioral24

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Vidar Stealer

Vidar family

Uses browser remote debugging

Unsecured Credentials: Credentials In Files

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Detect Vidar Stealer

Vidar

Vidar family

Uses browser remote debugging

Unsecured Credentials: Credentials In Files

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24