General
-
Target
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa1Q0XzkyWGctMFR4bk01ZWVfNTJNZ3FRWXJId3xBQ3Jtc0trb2lCQnpCQl96c1ZlWkRnVVRKN3ptTGJ3N3E5djJwaEdVaGJocGtJUmZtNTUtb2lOY1AzelpoM1VFWjNMTmF6WXA2TjdoZXdpRGZUUW1Vbldvd0hpM09yZHItcGExc0pYQUNDYVc4VFQ4SlBkZXRfZw&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Fsbi6e8z4j6wu4%2FWinnisEx&v=YaI8HmUGjRg
-
Sample
250331-jzytlsvzfv
Malware Config
Extracted
vidar
13.3
c88a663c3425c506a2ca6de08ffb73c8
https://t.me/lw25chm
https://steamcommunity.com/profiles/76561199839170361
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0
Targets
-
-
Target
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa1Q0XzkyWGctMFR4bk01ZWVfNTJNZ3FRWXJId3xBQ3Jtc0trb2lCQnpCQl96c1ZlWkRnVVRKN3ptTGJ3N3E5djJwaEdVaGJocGtJUmZtNTUtb2lOY1AzelpoM1VFWjNMTmF6WXA2TjdoZXdpRGZUUW1Vbldvd0hpM09yZHItcGExc0pYQUNDYVc4VFQ4SlBkZXRfZw&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Fsbi6e8z4j6wu4%2FWinnisEx&v=YaI8HmUGjRg
Score10/10-
Detect Vidar Stealer
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2