vidar | 341847d9c11face1487ab04072d6ddc5065a379011c6684e56e1f4fa8d8ab3f3

General

Target

f30562f12f6ef79b34b52f506780e01a.exe
Size

697KB
MD5

f30562f12f6ef79b34b52f506780e01a
SHA1

a70a54548bec648b92253ac5ac998e92ef3dabd9
SHA256

341847d9c11face1487ab04072d6ddc5065a379011c6684e56e1f4fa8d8ab3f3
SHA512

ad7739d8c8d0de69ebd20c41cb9c7739d6cd4f388bb928e228149a8bd454f510d9b0cc379ae56a478855fea665d2cbc031256c09d4ce7a2fbaa7eeed3fc445b6

Score

10^/10

vidar discovery spyware stealer

Malware Config

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Executes dropped EXE 1 IoCs

Processes:

wotsuper.exe

pid process

1416 wotsuper.exe
Loads dropped DLL 2 IoCs

Processes:

f30562f12f6ef79b34b52f506780e01a.exe

pid process

1900 f30562f12f6ef79b34b52f506780e01a.exe
1900 f30562f12f6ef79b34b52f506780e01a.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com

pid	process
1416	wotsuper.exe

pid	process
1900	f30562f12f6ef79b34b52f506780e01a.exe
1900	f30562f12f6ef79b34b52f506780e01a.exe

flow	ioc
19	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

f30562f12f6ef79b34b52f506780e01a.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe	f30562f12f6ef79b34b52f506780e01a.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe	f30562f12f6ef79b34b52f506780e01a.exe
File created	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini	f30562f12f6ef79b34b52f506780e01a.exe

Drops file in Windows directory 1 IoCs

Processes:

f30562f12f6ef79b34b52f506780e01a.exe

description ioc process

File opened for modification C:\Windows\wotsuper.reg f30562f12f6ef79b34b52f506780e01a.exe

description	ioc	process
File opened for modification	C:\Windows\wotsuper.reg	f30562f12f6ef79b34b52f506780e01a.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wotsuper.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wotsuper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wotsuper.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000001f17d73dac812d224cfb7642136e5382a549101bf68a01d747d6079cf691cb25000000000e8000000002000020000000c4947846007d746603d7e2dead122507d5086bfebe23bd0b9a053c6a06d3a7c220000000501a47b3d584fb15cf95dd5b94a27c348fd5dd28609323944653ffb1808f6d04400000007184c31876935ea526657061e2dd32dcb4be15432812a4e56a6baa0b4a220f2bd8d165e7bf6c0555b635be8c2f38bc64972d086b94eeab8554adc1ebb450682a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90874b7ae3b6d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A246B721-22D6-11EB-9E5C-424ABE5A776C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "311724056"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000008890332764f71d3cb72d912dbee948d49b1bf5ecdafdd439ef04ab8114a32d85000000000e8000000002000020000000da492098f782ead66527fcbf36c384a90fe435aab250ec277d97a36c7935563190000000a67bc924070324e34f04e2c4a3a9f05a03eaa6d48a5373c37fa5eeba356fa27ac89011f65f2465a59e2791bd91cbe9ce529a646c265d850e0bf6dffd30265ab33bb11c58a8a0c962db69257b721a2ce457d9725156aa4db22966acbfdd4aa23b8dfdbb0b824873fb32058d18a0426d44b8585bf7a7120ebd4aed5d3b4b4cb800612a2e1535af0bf6e1892945118fff934000000037dbe33210b1635e863ccaf70252e018d80d3579010732fa60312bc331aa1972e0beb8e2bf7a14f3559946b7a1c25b20312e806223d057203cd8dbfb91bc69e9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

1992 regedit.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

wotsuper.exe

pid process

1416 wotsuper.exe
1416 wotsuper.exe
1416 wotsuper.exe
1416 wotsuper.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1984 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1984 iexplore.exe
1984 iexplore.exe
1628 IEXPLORE.EXE
1628 IEXPLORE.EXE
1628 IEXPLORE.EXE
1628 IEXPLORE.EXE

pid	process
1992	regedit.exe

pid	process
1416	wotsuper.exe
1416	wotsuper.exe
1416	wotsuper.exe
1416	wotsuper.exe

pid	process
1984	iexplore.exe

pid	process
1984	iexplore.exe
1984	iexplore.exe
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f30562f12f6ef79b34b52f506780e01a.exeiexplore.exe

description	pid	process	target process
PID 1900 wrote to memory of 1416	1900	f30562f12f6ef79b34b52f506780e01a.exe	wotsuper.exe
PID 1900 wrote to memory of 1416	1900	f30562f12f6ef79b34b52f506780e01a.exe	wotsuper.exe
PID 1900 wrote to memory of 1416	1900	f30562f12f6ef79b34b52f506780e01a.exe	wotsuper.exe
PID 1900 wrote to memory of 1416	1900	f30562f12f6ef79b34b52f506780e01a.exe	wotsuper.exe
PID 1900 wrote to memory of 1992	1900	f30562f12f6ef79b34b52f506780e01a.exe	regedit.exe
PID 1900 wrote to memory of 1992	1900	f30562f12f6ef79b34b52f506780e01a.exe	regedit.exe
PID 1900 wrote to memory of 1992	1900	f30562f12f6ef79b34b52f506780e01a.exe	regedit.exe
PID 1900 wrote to memory of 1992	1900	f30562f12f6ef79b34b52f506780e01a.exe	regedit.exe
PID 1900 wrote to memory of 1984	1900	f30562f12f6ef79b34b52f506780e01a.exe	iexplore.exe
PID 1900 wrote to memory of 1984	1900	f30562f12f6ef79b34b52f506780e01a.exe	iexplore.exe
PID 1900 wrote to memory of 1984	1900	f30562f12f6ef79b34b52f506780e01a.exe	iexplore.exe
PID 1900 wrote to memory of 1984	1900	f30562f12f6ef79b34b52f506780e01a.exe	iexplore.exe
PID 1984 wrote to memory of 1628	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1628	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1628	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1628	1984	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\f30562f12f6ef79b34b52f506780e01a.exe
"C:\Users\Admin\AppData\Local\Temp\f30562f12f6ef79b34b52f506780e01a.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1900

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
2⤵
- Runs .reg file with regedit
PID:1992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1lBhp.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
MD5
17767f5acff3a551913e6f89ceec5abc

SHA1
c267c5c63c954445b38aa66d7150762dfea639d0

SHA256
847a2a54035b006b90f615913e22edea992115bbe0df57292fd573465ad16d9b

SHA512
5eed9bbca866778add3cf60ce2ceea710e6a63c2622dc00cf2cc9c2078e38f6d0d86c1173d452a3dfc85f49ff3467ac0143cc3f9e022c55e25716661178a423e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
98f8eae8500f321b80a5ac5223c28784

SHA1
0c88fb0b85938ce88bacd9f4c3ce0f05fcbda4bf

SHA256
87ed2fc290abcd70290c33bde785f5f1de8f9fbbbd3a76bbc9b8d3560c881016

SHA512
2fdb613f225c3ddaf5cca86bc1ebbcf442ae2132d0e26f19a56975c287fdafc35970398fe12d8b2641459e005189618788ec0d20d4677069b2e3fb435860bbd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
MD5
41bd3162f183d80176c1cf15c60f73b2

SHA1
07ce67b5b4c0f4c40cf5f8a8533c8ab4122e3611

SHA256
c645965accba1ea972eb1d587de0a2e63af9191c86860de7f0cd8dde51753312

SHA512
74eee5072bb9ce615f0c27a356a68fca6a3ebbff0d01139182c9e7e29fc3db0e6b16ae1e8f96e311ef708757398e67b72b2b1c4723e0692a908f04cfd2af3b15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YW99J5FQ.txt
MD5
98972ffb5ec7bc2c57778b373c7fc6a7

SHA1
e72965ac00454a32ddcd589dd81d8ce83b889acc

SHA256
2e81fca6fbf42732c78271aae46daa33e09992ad2e31a0fa9f9d27e07faa5ce8

SHA512
b90f801b28d22b94bff115f1adc0ec42b2c9991d22c92a12f18ae660e6b4242fbbaa9a863cea4b7058eb842947774b6bbb68e2619241517c5dccf0230a0f7185

Download Submit
\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
MD5
17767f5acff3a551913e6f89ceec5abc

SHA1
c267c5c63c954445b38aa66d7150762dfea639d0

SHA256
847a2a54035b006b90f615913e22edea992115bbe0df57292fd573465ad16d9b

SHA512
5eed9bbca866778add3cf60ce2ceea710e6a63c2622dc00cf2cc9c2078e38f6d0d86c1173d452a3dfc85f49ff3467ac0143cc3f9e022c55e25716661178a423e

Download Submit
\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
MD5
17767f5acff3a551913e6f89ceec5abc

SHA1
c267c5c63c954445b38aa66d7150762dfea639d0

SHA256
847a2a54035b006b90f615913e22edea992115bbe0df57292fd573465ad16d9b

SHA512
5eed9bbca866778add3cf60ce2ceea710e6a63c2622dc00cf2cc9c2078e38f6d0d86c1173d452a3dfc85f49ff3467ac0143cc3f9e022c55e25716661178a423e

Download Submit
memory/1416-9-0x0000000001EE0000-0x0000000001EF1000-memory.dmp

Filesize
68KB

Download
memory/1416-8-0x000000000030B000-0x000000000030C000-memory.dmp

Filesize
4KB

Download
memory/1416-2-0x0000000000000000-mapping.dmp

Download
memory/1628-7-0x0000000000000000-mapping.dmp

Download
memory/1636-6-0x000007FEF6E90000-0x000007FEF710A000-memory.dmp

Filesize
2.5MB

Download
memory/1984-5-0x0000000000000000-mapping.dmp

Download
memory/1992-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads