Overview

overview

10

Static

static

7

d2192209d6...a5.exe

windows7-x64

10

d2192209d6...a5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d2192209d6892b9bf8e6d155a53b69a5.exe

  • Size

    3.3MB

  • Sample

    230719-pz7peaeh59

  • MD5

    d2192209d6892b9bf8e6d155a53b69a5

  • SHA1

    f417394441a253f7f0ef661b00905fa51c71b4fc

  • SHA256

    b644ed105b1208ac7d25de367523aec04f53c18c68d7e389d892a0930cba860b

  • SHA512

    6cbe6898897864cd99579f000806867724c65327125250bb382204e012d375c9211acdac3cdfa36091daee42b0a1394777f69a51ad192ad9dabc7449af4c903f

  • SSDEEP

    49152:B9fBVAeoycp8DtPCrZPKh0wCqMEvhuwteJoltx6I+PGnGToq5aOCDDHV3:BnVAeh+8Dtqtyh5Iw4qZoGnZOCfHl

Score
10/10
vidarhttps://t.me/sundayeventevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

vidar

Version

4.8

Botnet

https://t.me/sundayevent

C2

https://t.me/sundayevent

https://steamcommunity.com/profiles/76561198982268531
Attributes
  • profile_id_v2

    https://t.me/sundayevent

  • user_agent

    Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Targets

    • Target

      d2192209d6892b9bf8e6d155a53b69a5.exe

    • Size

      3.3MB

    • MD5

      d2192209d6892b9bf8e6d155a53b69a5

    • SHA1

      f417394441a253f7f0ef661b00905fa51c71b4fc

    • SHA256

      b644ed105b1208ac7d25de367523aec04f53c18c68d7e389d892a0930cba860b

    • SHA512

      6cbe6898897864cd99579f000806867724c65327125250bb382204e012d375c9211acdac3cdfa36091daee42b0a1394777f69a51ad192ad9dabc7449af4c903f

    • SSDEEP

      49152:B9fBVAeoycp8DtPCrZPKh0wCqMEvhuwteJoltx6I+PGnGToq5aOCDDHV3:BnVAeh+8Dtqtyh5Iw4qZoGnZOCfHl

    Score
    10/10
    vidarhttps://t.me/sundayeventevasionspywarestealerthemidatrojan

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks