General

  • Target

    JaffaCakes118_1c2d8c2ac9fd09df3926cfe823ff0b2d

  • Size

    666KB

  • Sample

    250704-ppxfpatkx6

  • MD5

    1c2d8c2ac9fd09df3926cfe823ff0b2d

  • SHA1

    eb84310ff71baee15b4c3bfb3259edee9302259f

  • SHA256

    c281aea94813fce2301cac6e6f894a5ac5988deab4e3435473371dfed6bb7b39

  • SHA512

    311d523a2c7e7141dc93d5e75814464d54e4f39ae8d7e5f45b61afb45b5b64acb1f316911f90b1f15d1cdf5e88aad336383783c54849336de7b951fe5c7287be

  • SSDEEP

    12288:Ybll7v6ThVIpCJoLXO2Ap3Hr6YvFCjzaxB23DA6YGvADMF07i3z:YHvBpCibOzZHrRQjzq2zA6YGnF0

Malware Config

Extracted

Family

vidar

Version

4.7

Botnet

95

C2

http://akademiastola.cc/

Attributes
  • profile_id

    95

Targets

    • Target

      JaffaCakes118_1c2d8c2ac9fd09df3926cfe823ff0b2d

    • Size

      666KB

    • MD5

      1c2d8c2ac9fd09df3926cfe823ff0b2d

    • SHA1

      eb84310ff71baee15b4c3bfb3259edee9302259f

    • SHA256

      c281aea94813fce2301cac6e6f894a5ac5988deab4e3435473371dfed6bb7b39

    • SHA512

      311d523a2c7e7141dc93d5e75814464d54e4f39ae8d7e5f45b61afb45b5b64acb1f316911f90b1f15d1cdf5e88aad336383783c54849336de7b951fe5c7287be

    • SSDEEP

      12288:Ybll7v6ThVIpCJoLXO2Ap3Hr6YvFCjzaxB23DA6YGvADMF07i3z:YHvBpCibOzZHrRQjzq2zA6YGnF0

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Vidar Stealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v16

Tasks