Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Vidar
Trojan:Win64/Vidar.B!AMTB is a Vidar family information stealer targeting Windows systems. This threat is designed to exfiltrate sensitive data, including browser cookies, cryptocurrency wallet keys (e.g., Monero, Brave), and credentials from applications like WinSCP, posing a significant risk of financial loss and account compromise.
Relevant strings associated with this threat: - "id":1,"method":"Storage.getCookies" (PEHSTR_EXT) - \Monero\wallet.keys (PEHSTR_EXT) - \BraveWallet\Preferences (PEHSTR_EXT) - /c timeout /t 10 & rd /s /q "C:\ProgramData\ (PEHSTR_EXT) - Software\Martin Prikryl\WinSCP 2\Sessions (PEHSTR_EXT) - SOFTWARE\monero-project\monero-core (PEHSTR_EXT) - LoadLibrary (PEHSTR_EXT) - ShellExecuteW (PEHSTR_EXT)
0bb0ef009a9d62cbf9ab2e8913e1abf219bac89fa6ddfa34cb281e70d6bdfc8eImmediately isolate the infected host from the network. Perform a full system scan with updated antivirus software, remove all detected threats, and reboot the system. Subsequently, reset all critical passwords (especially for online accounts, cryptocurrency wallets, and banking), enable multi-factor authentication where possible, and monitor financial accounts for any suspicious activity. Ensure the operating system and all installed software are fully patched to address potential vulnerabilities.