vidar

General

Target

2025-05-16_0d81648f2a54a40be7fcb57bc3209aee_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer
Size

938KB
Sample

250516-r76s7aak4x
MD5

0d81648f2a54a40be7fcb57bc3209aee
SHA1

971859c5430c0d58f7f5df004898c07a4b19890b
SHA256

5ddcb268ab3c6e2e8eb3370f990f48fc1825fd67c121789bb7df9e172860c00f
SHA512

6379312ba296cc44a52d6df36223b8880217a00823a67b7a5f29d4191a50af0b74aea431aa101bab0b8fc2088243af5292091f2ba0a8fbdea4f1c11d3bccf6ee
SSDEEP

24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8aM3b:6TvC/MTQYxsWR7aM3

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.156.72.2/testmine/random.exe

Extracted

Family

vidar

Version

13.7

Botnet

54911ccfd8045c892eac97c18f773c50

C2

https://t.me/eom25h

https://steamcommunity.com/profiles/76561199855598339

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/135.0.0.0 Safari/537.36 OPR/120.0.0.0

Targets

- Target
  
  2025-05-16_0d81648f2a54a40be7fcb57bc3209aee_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer
- Size
  
  938KB
- MD5
  
  0d81648f2a54a40be7fcb57bc3209aee
- SHA1
  
  971859c5430c0d58f7f5df004898c07a4b19890b
- SHA256
  
  5ddcb268ab3c6e2e8eb3370f990f48fc1825fd67c121789bb7df9e172860c00f
- SHA512
  
  6379312ba296cc44a52d6df36223b8880217a00823a67b7a5f29d4191a50af0b74aea431aa101bab0b8fc2088243af5292091f2ba0a8fbdea4f1c11d3bccf6ee
- SSDEEP
  
  24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8aM3b:6TvC/MTQYxsWR7aM3
Score

10^/10

vidar 54911ccfd8045c892eac97c18f773c50 credential_access defense_evasion discovery execution spyware stealer
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1