vidar | 7ee9786ce295430044ac02259ca43dd92a036f3146533b308dca24f87e05edd4

General

Target

432db6f0e813f2dd346bb4411b6263b3.exe
Size

696KB
MD5

432db6f0e813f2dd346bb4411b6263b3
SHA1

64e07afef6d1c9c3cb7aaa57d0d469892203fbc4
SHA256

7ee9786ce295430044ac02259ca43dd92a036f3146533b308dca24f87e05edd4
SHA512

f9cbe6df06359f290ed5720399f20d969a254ed33927d6d7eaf8d137da8cd07166dada50906d633c03c6c3c1d871dadc5731639c1ddb700525ab7b0a90d17e8b

Score

10^/10

vidar discovery spyware stealer

Malware Config

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Executes dropped EXE 1 IoCs

Processes:

wotsuper.exe

pid process

1496 wotsuper.exe
Loads dropped DLL 2 IoCs

Processes:

432db6f0e813f2dd346bb4411b6263b3.exe

pid process

1588 432db6f0e813f2dd346bb4411b6263b3.exe
1588 432db6f0e813f2dd346bb4411b6263b3.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 ip-api.com

pid	process
1496	wotsuper.exe

pid	process
1588	432db6f0e813f2dd346bb4411b6263b3.exe
1588	432db6f0e813f2dd346bb4411b6263b3.exe

flow	ioc
28	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

432db6f0e813f2dd346bb4411b6263b3.exe

description	ioc	process
File created	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini	432db6f0e813f2dd346bb4411b6263b3.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe	432db6f0e813f2dd346bb4411b6263b3.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe	432db6f0e813f2dd346bb4411b6263b3.exe

Drops file in Windows directory 1 IoCs

Processes:

432db6f0e813f2dd346bb4411b6263b3.exe

description ioc process

File opened for modification C:\Windows\wotsuper.reg 432db6f0e813f2dd346bb4411b6263b3.exe

description	ioc	process
File opened for modification	C:\Windows\wotsuper.reg	432db6f0e813f2dd346bb4411b6263b3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wotsuper.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wotsuper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wotsuper.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000f817331c2e9c5f2374c9b8d7f45545a0c366554d130fdf23a09975e4b38d797e000000000e800000000200002000000045e1644836b51b5daaf04c445ca1d2c2eeaa4319d8d5d876a44cdcef64b169d020000000898acdbb63106bfabdb84e17c55e7394e9233a7f9bcd1bea7779838fe67614f940000000c42e3b8ccd639da54ac6a778d9e5286a47d97e1ab5a6793c463c9eb692e0c991713ab86d18cbd0ab6ee3d7e125b29a23f1ba33b05f700755411ae3a349463a39	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10e79938e3b6d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a600000000002000000000010660000000100002000000084b264906a041afd0fdf228923cdf3d38807b97275c83dacaa604cea04f5e006000000000e80000000020000200000002612ab40cc5f2f4cc67fec44facd6be1d0b4fc96dc31afae43d3c26af530e8b790000000bd645ff4223360e45befa9a39aff957cb1f9f171f96398a01613cc6cd586c1a5fd4da0639d997c3c1b5bcb65c91342dad46018fb20d2418fd323299acff54c95a138e0c2fd7240515f44623b598275147ff8a59e09281d7c5ef17f76689da22ca2c8c7cbf54d880498f84318fbcee92383412a43190798c25d86b4b3a9565c9240b70f7ded46550f9289c2bcc5ed812c40000000549a3c67f989bea70b2a94398c12d90c75d2c65b7c943b5ead510bb14bf98fae650de325349602e073ca692f0de277caf4297a62f4268fa319ee89f27c070491	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "311723946"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{602A0091-22D6-11EB-9B42-F2DC1BF59C8B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

1932 regedit.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

wotsuper.exe

pid process

1496 wotsuper.exe
1496 wotsuper.exe
1496 wotsuper.exe
1496 wotsuper.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1896 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1896 iexplore.exe
1896 iexplore.exe
1356 IEXPLORE.EXE
1356 IEXPLORE.EXE
1356 IEXPLORE.EXE
1356 IEXPLORE.EXE

pid	process
1932	regedit.exe

pid	process
1496	wotsuper.exe
1496	wotsuper.exe
1496	wotsuper.exe
1496	wotsuper.exe

pid	process
1896	iexplore.exe

pid	process
1896	iexplore.exe
1896	iexplore.exe
1356	IEXPLORE.EXE
1356	IEXPLORE.EXE
1356	IEXPLORE.EXE
1356	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

432db6f0e813f2dd346bb4411b6263b3.exeiexplore.exe

description	pid	process	target process
PID 1588 wrote to memory of 1496	1588	432db6f0e813f2dd346bb4411b6263b3.exe	wotsuper.exe
PID 1588 wrote to memory of 1496	1588	432db6f0e813f2dd346bb4411b6263b3.exe	wotsuper.exe
PID 1588 wrote to memory of 1496	1588	432db6f0e813f2dd346bb4411b6263b3.exe	wotsuper.exe
PID 1588 wrote to memory of 1496	1588	432db6f0e813f2dd346bb4411b6263b3.exe	wotsuper.exe
PID 1588 wrote to memory of 1932	1588	432db6f0e813f2dd346bb4411b6263b3.exe	regedit.exe
PID 1588 wrote to memory of 1932	1588	432db6f0e813f2dd346bb4411b6263b3.exe	regedit.exe
PID 1588 wrote to memory of 1932	1588	432db6f0e813f2dd346bb4411b6263b3.exe	regedit.exe
PID 1588 wrote to memory of 1932	1588	432db6f0e813f2dd346bb4411b6263b3.exe	regedit.exe
PID 1588 wrote to memory of 1896	1588	432db6f0e813f2dd346bb4411b6263b3.exe	iexplore.exe
PID 1588 wrote to memory of 1896	1588	432db6f0e813f2dd346bb4411b6263b3.exe	iexplore.exe
PID 1588 wrote to memory of 1896	1588	432db6f0e813f2dd346bb4411b6263b3.exe	iexplore.exe
PID 1588 wrote to memory of 1896	1588	432db6f0e813f2dd346bb4411b6263b3.exe	iexplore.exe
PID 1896 wrote to memory of 1356	1896	iexplore.exe	IEXPLORE.EXE
PID 1896 wrote to memory of 1356	1896	iexplore.exe	IEXPLORE.EXE
PID 1896 wrote to memory of 1356	1896	iexplore.exe	IEXPLORE.EXE
PID 1896 wrote to memory of 1356	1896	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\432db6f0e813f2dd346bb4411b6263b3.exe
"C:\Users\Admin\AppData\Local\Temp\432db6f0e813f2dd346bb4411b6263b3.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1588

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
2⤵
- Runs .reg file with regedit
PID:1932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1lBhp.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
MD5
92ab03f9b717775109003526dc953222

SHA1
c9e1ae9bfa62f155692ca7a2084d17cfc2e12ae1

SHA256
78c9d1c82182e7bdc21c5a5747590ab050b57f6e4b8b5f8a03b4177414f00ba7

SHA512
4f929e6ba9157701fd72cf1dad251f2fd9918f5e00ab52ecc56f4b0a5b952f4cca5588a73cf60602d52e389674db82c1eb47a11ba4e9923f0fd59947f993c75e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
ebb9fe3fa4a3519fc590b350d3b817a1

SHA1
aae08f705f34d0c98aa8ef26864f20c54af28cc6

SHA256
9b34a474908c0081ad75849ae753a3b254200e74ae2d999d36385f135e50e2da

SHA512
facd9bb05708b0f56c5e3cae4f5f63cdd67be0df499183ef0cc2c6ffa0e59f8a9bbe612afda8fe4b8c3bdb4f4d3a387f627e47291c3ae9429447712b479aa71f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
MD5
931ebab29571bc8ec9d36bd4d6c4df42

SHA1
471a4c83d51b09732dc6e80a08d47dc2ba086852

SHA256
40967cea81a07be327150b9f192b63d421da0e63f0b258d3ab5a02b80df3205b

SHA512
36c10c3453526f832a1e5fca1fa53335ba07e60f279a33ef5897312a57582f90d0080d502e64e67d6020b6f750a7fa3955426dba4b7d71d44436c8d40ee0f2da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\399141JQ.txt
MD5
6643bae8c97bddaf6fbdacb033f6437f

SHA1
18c5e8637ee71263770f718fc2e65f3264cd9af0

SHA256
4888530d8ec28a9577abac5976a5ed1e235f35d2c322e08aa72c980289ddda45

SHA512
8b2b1356db3217ebadd72550a15b94498fece331a1fa616ec57a537a71a9cfa1984991172cf1f57cff58aadac0b5989c2bf09a50fe4ea1471938c17b19574ecd

Download Submit
\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
MD5
92ab03f9b717775109003526dc953222

SHA1
c9e1ae9bfa62f155692ca7a2084d17cfc2e12ae1

SHA256
78c9d1c82182e7bdc21c5a5747590ab050b57f6e4b8b5f8a03b4177414f00ba7

SHA512
4f929e6ba9157701fd72cf1dad251f2fd9918f5e00ab52ecc56f4b0a5b952f4cca5588a73cf60602d52e389674db82c1eb47a11ba4e9923f0fd59947f993c75e

Download Submit
\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
MD5
92ab03f9b717775109003526dc953222

SHA1
c9e1ae9bfa62f155692ca7a2084d17cfc2e12ae1

SHA256
78c9d1c82182e7bdc21c5a5747590ab050b57f6e4b8b5f8a03b4177414f00ba7

SHA512
4f929e6ba9157701fd72cf1dad251f2fd9918f5e00ab52ecc56f4b0a5b952f4cca5588a73cf60602d52e389674db82c1eb47a11ba4e9923f0fd59947f993c75e

Download Submit
memory/1356-7-0x0000000000000000-mapping.dmp

Download
memory/1496-9-0x0000000001F30000-0x0000000001F41000-memory.dmp

Filesize
68KB

Download
memory/1496-8-0x00000000005AB000-0x00000000005AC000-memory.dmp

Filesize
4KB

Download
memory/1496-2-0x0000000000000000-mapping.dmp

Download
memory/1780-6-0x000007FEF68D0000-0x000007FEF6B4A000-memory.dmp

Filesize
2.5MB

Download
memory/1896-5-0x0000000000000000-mapping.dmp

Download
memory/1932-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads