General
-
Target
sample
-
Size
3KB
-
Sample
250330-xgnskswry3
-
MD5
21c010cf4481df82d7e5e4a0b4260793
-
SHA1
d2ae87b41aa4e951c3a3131ce7ebc8969948ed97
-
SHA256
b6e7e1ddaceee8c401056c0bd2e552c3545f6906b7de4b62ab3a239e5b01dfa7
-
SHA512
8f97b34ecda980b0a738d98a99a28ba6f6ceafe65ae97f41b0fc8561a919796e729429507a18e9fe0ef79feb6ee892afb29fc325615c920d72111f3649b3bf5f
Malware Config
Extracted
https://jacrcell.com/joomla/crypted.exe
https://installsh.pages.dev/config.ps1
Extracted
vidar
13.3
00cb84c6bd4caac4bdfc1131beae4df7
https://t.me/lw25chm
https://steamcommunity.com/profiles/76561199839170361
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0
Targets
-
-
Target
sample
-
Size
3KB
-
MD5
21c010cf4481df82d7e5e4a0b4260793
-
SHA1
d2ae87b41aa4e951c3a3131ce7ebc8969948ed97
-
SHA256
b6e7e1ddaceee8c401056c0bd2e552c3545f6906b7de4b62ab3a239e5b01dfa7
-
SHA512
8f97b34ecda980b0a738d98a99a28ba6f6ceafe65ae97f41b0fc8561a919796e729429507a18e9fe0ef79feb6ee892afb29fc325615c920d72111f3649b3bf5f
Score10/10-
Detect Vidar Stealer
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Executes dropped EXE
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Window
1Modify Authentication Process
1Modify Registry
1Credential Access
Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2