vidar

General

Target

Iаuncher_v9.1.rar
Size

13.6MB
Sample

250421-ljrrga1rt5
MD5

6adf66f995f52565c6f44edd024ad6d5
SHA1

4ced5eb46794194e90a0baf8d01d78efdaaa2a77
SHA256

39b8d89f49c86b2a1f876763e3b4666749c85de715aa10aa96a00d5a2d83861a
SHA512

0ccc86c3e6605299f2d24c7982e909af038ffc030e82426ac7cecf8f797e2b0122b18722056d381764056c21e340e8e01df1b1025764e7a9158d43cbcb944522
SSDEEP

393216:xTR2upwCQ5NKmlfv29/Vbrb3C48I5x2jUyt2jSVdXR/X:x8gwCQPJv29BHzfxdQ3R/

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

13.5

Botnet

fe765de57643ac9d227ea7737a97bb87

C2

https://t.me/v00rd

https://steamcommunity.com/profiles/76561199846773220

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Targets

- Target
  
  Iаuncher_v9.1.rar
- Size
  
  13.6MB
- MD5
  
  6adf66f995f52565c6f44edd024ad6d5
- SHA1
  
  4ced5eb46794194e90a0baf8d01d78efdaaa2a77
- SHA256
  
  39b8d89f49c86b2a1f876763e3b4666749c85de715aa10aa96a00d5a2d83861a
- SHA512
  
  0ccc86c3e6605299f2d24c7982e909af038ffc030e82426ac7cecf8f797e2b0122b18722056d381764056c21e340e8e01df1b1025764e7a9158d43cbcb944522
- SSDEEP
  
  393216:xTR2upwCQ5NKmlfv29/Vbrb3C48I5x2jUyt2jSVdXR/X:x8gwCQPJv29BHzfxdQ3R/
Score

10^/10

vidar xmrig fe765de57643ac9d227ea7737a97bb87 credential_access defense_evasion discovery execution miner persistence spyware stealer upx
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  defense_evasion execution
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  S0FTWARE.exe
- Size
  
  349KB
- MD5
  
  656a1813b1f6b1b23f86868148f03c97
- SHA1
  
  171427be31c7cd18d2838e9c985240a77370c99c
- SHA256
  
  98a355651f9f043e1ed3eaf1ac5ef8ff617f3438969e6488ef05ada40bac12d2
- SHA512
  
  69444b0a88c3a46da193a4920546a371b9243cb8a925ae725dc33e964f2342fe554e6e7f163f5d7eb6eb2b57e8d40d26e7fb2ff0ebf6b086402b20b69d21b2a7
- SSDEEP
  
  6144:ZdCuJHaXn51HBOWGEI8ue6/W4yJIyhBzOTVa:ZwuJqnbBjGEIn/W4yOk1
Score

10^/10

vidar xmrig fe765de57643ac9d227ea7737a97bb87 credential_access defense_evasion discovery execution miner persistence spyware stealer upx
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  defense_evasion execution
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4