Derin Statik Analiz — Vidar | Tehdit: high

Fichier Kimligi

SHA256b9505282931ce70307a14689daf7767ba1124113c24c7e174499bb5331351a5e
MD5d5e2e6b8c0000408bac3946589ec5562
SHA1e242f6507a82d5d089064e52f17cac1180b0d67c
Taille2975616 byte
Tur/opt/ksentinel/samples/b9505282931ce703_install-1.5.exe: PE32+ executable (GUI)
DerlemeInconnu
PackerUPX

C2 / Dropper Domainleri

AdresTipDurum
godebugs.InfoDomainUnknown
www.pakistani.orgDomainUnknown

IOC Listesi

ValeurTip
godebugs.InfoDomain
www.pakistani.orgDomain

Yetenekler

  • TCP Socket C2

Gelistirici Ipuclari

PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|' bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^

Telegram: @6nUa @AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBB @COMU @mA2_ @mA2_6

PE Analizi

Guvenlik Taramasi

file entropy:                    7.079141 (probably packed)
fpu anti-disassembly:            no
imagebase:                       suspicious
entrypoint:                      normal
DOS stub:           

Import Tablosu

Imported functions
    Library
        Name:                            kernel32.dll
        Functions
            Function
                Hint:                            0
                Name:                            WriteFile
            Function
                Hint:                            0
                Name:                            WriteConsoleW
            Function
          

Binwalk / Packer

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Microsoft executable, portable (PE)
955756     

Famille Tespiti

String kaniti bulunamadi (sifrelenmis/obfuskeli).

Vidar — Profil du malware

Vidar Stealer, 2018 yilinda Racoon Stealer kaynak kodundan turetilen C++ tabanli bir MaaS infostealer ailesidir. Telegram Bot API dead-drop C2, Steam/Instagram profili ile C2 URL gizleme, kripto cuzdan ve tarayici kimlik bilgisi calma yeteneklerine sahiptir.

Type de malware
Infostealer
Langage de programmation
C++
Protocole C2
HTTP
Systèmes ciblés
Windows

Détails techniques

C++, HTTP C2 (Telegram dead drop C2 IP alimi da mevcut), SQLite credential extraction, browser form grabber, kripto wallet scraper, screenshot, Discord stealer, custom panel (PHP)

Attribution / Acteur de la menace

Rusca konusulan gelistirici tarafindan yonetilen MaaS platformu. Arkei Stealer'in devami olarak Rusya baglantili gruplarca gelistirilmektedir.

Capacités et comportement

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

Liste IOC (7 indicateurs)

IOC — Vidar
# e242f6507a82d5d089064e52f17cac1180b0d67c # SHA256 b9505282931ce70307a14689daf7767ba1124113c24c7e174499bb5331351a5e # MD5 d5e2e6b8c0000408bac3946589ec5562 # DOMAIN godebugs.Info # DOMAIN www.pakistani.org # FILEPATH bash: -c: line 1: syntax error near unexpected token `|' # FILEPATH bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
TypeValeurNote
e242f6507a82d5d089064e52f17cac1180b0d67c
sha256 b9505282931ce70307a14689daf7767ba1124113c24c7e174499bb5331351a5e
md5 d5e2e6b8c0000408bac3946589ec5562
domain godebugs.Info
domain www.pakistani.org
filepath bash: -c: line 1: syntax error near unexpected token `|'
filepath bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'

Serveurs C2 (5 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
www.pakistani.org domain &mdash; HTTP active &mdash;
185.215.113.31 ip 443 HTTPS inactive RU
193.233.20.158 ip 80 HTTP inactive RU
45.92.96.136 ip 80 HTTP inactive &mdash;
godebugs.Info domain &mdash; HTTP inactive &mdash;

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
vidarstatik-analizhighc2iocpe