Overview

overview

10

Static

static

3

XToolUnlock.zip

windows11-21h2-x64

8

XToolUnlock_v2.9.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XToolUnlock.zip

  • Size

    30.9MB

  • Sample

    250330-x1gtdaxmz7

  • MD5

    b06d5213d4ff33e2479c7513cc69c52c

  • SHA1

    c734d32e41acc3a24e78ed8bd39738857b9b5c76

  • SHA256

    c50bfe8359f6673970f1c3f810418c79bb01e8c95491c7be8e38f9ebe53a443e

  • SHA512

    f5d46f2b86f243bc5f97496ab0f68844c81fff3ba08082fe82531dc44ea9ead067e5728a8cbb9936c68ec4ef1183d1f2fd7800792369689a5d0fae37ecf08d9c

  • SSDEEP

    786432:XgXoEOoXLbBiJLAj2SzZTYGWN7WFQT/Az43eowDgzZHc:/hO4JLGXYBBT043e8c

Score
10/10
vidar286abd424eeeb855a080435369086f7fcredential_accessdefense_evasiondiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

286abd424eeeb855a080435369086f7f

C2

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Targets

    • Target

      XToolUnlock.zip

    • Size

      30.9MB

    • MD5

      b06d5213d4ff33e2479c7513cc69c52c

    • SHA1

      c734d32e41acc3a24e78ed8bd39738857b9b5c76

    • SHA256

      c50bfe8359f6673970f1c3f810418c79bb01e8c95491c7be8e38f9ebe53a443e

    • SHA512

      f5d46f2b86f243bc5f97496ab0f68844c81fff3ba08082fe82531dc44ea9ead067e5728a8cbb9936c68ec4ef1183d1f2fd7800792369689a5d0fae37ecf08d9c

    • SSDEEP

      786432:XgXoEOoXLbBiJLAj2SzZTYGWN7WFQT/Az43eowDgzZHc:/hO4JLGXYBBT043e8c

    Score
    8/10
    defense_evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    behavioral1

    • Target

      XToolUnlock_v2.9.exe

    • Size

      634KB

    • MD5

      93adf8065f0c98800caaa0c04643086d

    • SHA1

      1d9155ca4e97cd715a2053e98578bc3c41e144dd

    • SHA256

      93333cc84d80767f88528b50cd5f563a7fc2626e0817ab9a666df733dd51d369

    • SHA512

      6253872a445477fff892ba37f51aa44e655a7f61dc8ee8e9242911b8c2e9dac105234681255cdf82526239bfc582e8205f8aa9fb7e6a94b4cf2bf696dd26524b

    • SSDEEP

      12288:SaQ9+ICJkAp0mBpehM8ppy+E4J/aDQy5b4WeZGl/GtWV3OH2JrZwIRlUR:Kw4GBpehMjcuP5b4Fty3pZwglUR

    Score
    10/10
    vidar286abd424eeeb855a080435369086f7fcredential_accessdiscoveryspywarestealer

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks