Extracted

• • Target

    Вооtstrарреr/libcares-2.dll

  • Size

    3.2MB

  • MD5

    4164147a3225fdeb1a0ef43579e2b580

  • SHA1

    391764a2ae094dbd54879cd46dff9e35207f6ec5

  • SHA256

    78d91293dc4e7ec9a1bb87902454b6409c673e5cb2d86dbe65c51d87ae3cef0c

  • SHA512

    4901ef94c56051cda3ceff25aca53d539c38a2a59a2c4788cc4e9842635919c94f1686ff2ff8da1e5641f1554dc851f075d3616873af176008f4cabcabbde5b8

  • SSDEEP

    49152:24qTN+Q1YMyGNY8ZLijO90/9mx1B8yeTDYo8tFrGsEQttkgSwk:ApZv97PuTDYojR

  Score

  10^/10

  vidar70b1951e45faf96b545205e7862cea27credential_accessdefense_evasiondiscoveryspywarestealer

  • Detect Vidar Stealer

    stealer

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar family

    vidar

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Uses the VBS compiler for execution

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Suspicious use of SetThreadContext

  behavioral1

• • Target

    Вооtstrарреr/scripts/Dex.lua

  • Size

    410KB

  • MD5

    e37374a8aa47cf8ac6d56901436e199f

  • SHA1

    5d62f5db07614f3b548702faa4f7a06e235c9b12

  • SHA256

    47cc5f1102fda0eba76b9570a1b943326f2170f270d5280e1f8dd5723c43fc14

  • SHA512

    efee19e8109a48d49f099dd1767c722935123c4ea4d6e0ab905703e16fcb7196d31c45826d4398a5b7249e686ca90db3f671416909ce3440d4709edf1bd55775

  • SSDEEP

    6144:X+B5OQiY5mqWM4Kg9HHj/B7TjmmDLmogQcEZVTkJuMap1PBPY9ZSnJm7xoiZDDHQ:RQ90qWM4Kg9HHj/B7TjHKi

  Score

  3^/10

  execution
  behavioral2

• • Target

    Вооtstrарреr/scripts/IY.txt

  • Size

    480KB

  • MD5

    69f23c9d75e7e51707aa64473b0e5642

  • SHA1

    7e6d5eed5d792d0882c828d31965f26dc740588f

  • SHA256

    efe338a26980378a7dcda54989425934cedf3b5db0df82f1e02f8c82d7003337

  • SHA512

    5847ff81c9e3028710d944a69b66dda42bd71f8b512ddd6afd4942648e1185c6f045673de6299416633c8ee36446585fdf9c6bde286a35e39a22028681d5fa97

  • SSDEEP

    6144:nkrLcE7j0LtUWRhp2HRFY91IBWQulO7tFo5n4XO9wDhoQhGZtUi8/1JVr4U48usx:nkrLcE9WrUbYoFOn4Xr+po

  Score

  3^/10

  execution
  behavioral3

• • Target

    Вооtstrарреr/scripts/Infinite Yield.lua

  • Size

    464KB

  • MD5

    b7fd97a54c618754ceab75e8a5c2de10

  • SHA1

    feb96643a76f785177fa4e841b92e6a0af364180

  • SHA256

    784f1c6ac0d4a3abdce59e09b0e9b52da6c426136cf0bfd775445e8194b77ddc

  • SHA512

    078f305142e6b2d3300d249ba305897374e0d5a78e6db9ac902370b1eee433ee83322568735b3d82706fd1fc117dcbd3fe60ad5c2d8cada8deb36b2de6da7921

  • SSDEEP

    6144:OkrLwE7/2eTtOWGhzWtRNY9gIBuQulO7oFo5n4Xd9wDhoQhGZtUi8/1j304U48uH:OkrLwE4WG6NYQFOn4Xyipo

  Score

  3^/10

  execution
  behavioral4

• • Target

    Вооtstrарреr/scripts/UNC Check.txt

  • Size

    28KB

  • MD5

    b76726d10354343d9af5c268e40b47c4

  • SHA1

    7103c78071be0c65c8b3a217168cf7909aef748e

  • SHA256

    e8d53406c916b8e827c65c8f00d8a18b1379e693fd0379e8116e749bdf860cf5

  • SHA512

    5caffd8a06058e890fe4ae35430539281cf53fa791221189f0f6660778a83fa42cc3e5374ce06ff325420d92006c2bfe1003f1486714e889964075da66b046eb

  • SSDEEP

    768:JopEYRzOKMrGrE7BWf9r+T+f9TkIuP4hUUsbU8FqQFBF5UXzRFEe3cSG5Sg/i5rx:JEKcZuy9p

  Score

  3^/10

  execution
  behavioral5

• • Target

    Вооtstrарреr/scripts/UNCCheckEnv.lua

  • Size

    28KB

  • MD5

    b76726d10354343d9af5c268e40b47c4

  • SHA1

    7103c78071be0c65c8b3a217168cf7909aef748e

  • SHA256

    e8d53406c916b8e827c65c8f00d8a18b1379e693fd0379e8116e749bdf860cf5

  • SHA512

    5caffd8a06058e890fe4ae35430539281cf53fa791221189f0f6660778a83fa42cc3e5374ce06ff325420d92006c2bfe1003f1486714e889964075da66b046eb

  • SSDEEP

    768:JopEYRzOKMrGrE7BWf9r+T+f9TkIuP4hUUsbU8FqQFBF5UXzRFEe3cSG5Sg/i5rx:JEKcZuy9p

  Score

  3^/10

  execution
  behavioral6

• • Target

    Вооtstrарреr/Вооtstrарреr.exe

  • Size

    62KB

  • MD5

    67653ba664e96633db899307cd07b56f

  • SHA1

    09bd720cab2345c8d5e0c6bc4687ed3ee7fff0d4

  • SHA256

    5c51dc904076cd5dc22fec10fa18563ef5283ebcfeec6f4bdc23a7504f1d5838

  • SHA512

    43e67213f5aa9f989ba3038a7eff6bfa65dcec03356028499813e72ec5c6e4c7f1cb72445f9335670dd3c2b268cf8933d15a5d8d0b22761fa2b32274a7953100

  • SSDEEP

    1536:vuQNkuJyUCn4TqWjcmGr8N5jiv5gjAuWgMW7Xye5xc:vrOj4TljcmGr8Ny5hvgMWLxxc

  Score

  10^/10

  vidar70b1951e45faf96b545205e7862cea27credential_accessdefense_evasiondiscoveryspywarestealer

  • Detect Vidar Stealer

    stealer

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar family

    vidar

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext

  behavioral7