vidar | 4d6904b252c292f5aefe176877720e6e8520c977c9f27ba46c92e5a0b6796016

Resubmissions

02/04/2024, 09:25

240402-ldsrksdb67 10

24/08/2021, 04:56

210824-sewqk7n826 10

Analysis

max time kernel
4s
max time network
204s
platform
windows7_x64
resource
win7v20210408
submitted
24/08/2021, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A56C0274E6EA9BD32141634A92052D91.exe
Size

4.1MB
MD5

a56c0274e6ea9bd32141634a92052d91
SHA1

0f69b4fcbda90184075b84d12217abbd0c07d704
SHA256

4d6904b252c292f5aefe176877720e6e8520c977c9f27ba46c92e5a0b6796016
SHA512

c21c368a8d9e59b61ddb409958b071f206bc1c10e42b1a378a6b32b01fa4a9e107d1b840a0351a2ef3c787881e87d842ae12bd4c49050feb2dab5c7247088526

Score

10^/10

vidar 706 aspackv2 stealer

Malware Config

Extracted

Family

vidar

Version

40.1

Botnet

706

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1484	rundll32.exe	51

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/860-148-0x0000000003200000-0x000000000329D000-memory.dmp	family_vidar
behavioral1/memory/860-153-0x0000000000400000-0x0000000002D0E000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00030000000130c8-68.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c8-67.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c7-69.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c7-70.dat	aspack_v212_v242
behavioral1/files/0x00030000000130ca-73.dat	aspack_v212_v242
behavioral1/files/0x00030000000130ca-74.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
376	setup_install.exe
1384	Fri17e57b57304ad6467.exe
1804	WerFault.exe
860	Fri17c3ec4b03a0d8e6.exe

Loads dropped DLL 15 IoCs

pid	Process
1972	A56C0274E6EA9BD32141634A92052D91.exe
1972	A56C0274E6EA9BD32141634A92052D91.exe
1972	A56C0274E6EA9BD32141634A92052D91.exe
376	setup_install.exe
376	setup_install.exe
376	setup_install.exe
376	setup_install.exe
376	setup_install.exe
376	setup_install.exe
376	setup_install.exe
376	setup_install.exe
928	cmd.exe
928	cmd.exe
2036	cmd.exe
2036	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1804	860	WerFault.exe	40

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 376	1972	A56C0274E6EA9BD32141634A92052D91.exe	29
PID 1972 wrote to memory of 376	1972	A56C0274E6EA9BD32141634A92052D91.exe	29
PID 1972 wrote to memory of 376	1972	A56C0274E6EA9BD32141634A92052D91.exe	29
PID 1972 wrote to memory of 376	1972	A56C0274E6EA9BD32141634A92052D91.exe	29
PID 1972 wrote to memory of 376	1972	A56C0274E6EA9BD32141634A92052D91.exe	29
PID 1972 wrote to memory of 376	1972	A56C0274E6EA9BD32141634A92052D91.exe	29
PID 1972 wrote to memory of 376	1972	A56C0274E6EA9BD32141634A92052D91.exe	29
PID 376 wrote to memory of 672	376	setup_install.exe	31
PID 376 wrote to memory of 672	376	setup_install.exe	31
PID 376 wrote to memory of 672	376	setup_install.exe	31
PID 376 wrote to memory of 672	376	setup_install.exe	31
PID 376 wrote to memory of 672	376	setup_install.exe	31
PID 376 wrote to memory of 672	376	setup_install.exe	31
PID 376 wrote to memory of 672	376	setup_install.exe	31
PID 376 wrote to memory of 928	376	setup_install.exe	48
PID 376 wrote to memory of 928	376	setup_install.exe	48
PID 376 wrote to memory of 928	376	setup_install.exe	48
PID 376 wrote to memory of 928	376	setup_install.exe	48
PID 376 wrote to memory of 928	376	setup_install.exe	48
PID 376 wrote to memory of 928	376	setup_install.exe	48
PID 376 wrote to memory of 928	376	setup_install.exe	48
PID 376 wrote to memory of 752	376	setup_install.exe	47
PID 376 wrote to memory of 752	376	setup_install.exe	47
PID 376 wrote to memory of 752	376	setup_install.exe	47
PID 376 wrote to memory of 752	376	setup_install.exe	47
PID 376 wrote to memory of 752	376	setup_install.exe	47
PID 376 wrote to memory of 752	376	setup_install.exe	47
PID 376 wrote to memory of 752	376	setup_install.exe	47
PID 376 wrote to memory of 344	376	setup_install.exe	32
PID 376 wrote to memory of 344	376	setup_install.exe	32
PID 376 wrote to memory of 344	376	setup_install.exe	32
PID 376 wrote to memory of 344	376	setup_install.exe	32
PID 376 wrote to memory of 344	376	setup_install.exe	32
PID 376 wrote to memory of 344	376	setup_install.exe	32
PID 376 wrote to memory of 344	376	setup_install.exe	32
PID 376 wrote to memory of 2036	376	setup_install.exe	46
PID 376 wrote to memory of 2036	376	setup_install.exe	46
PID 376 wrote to memory of 2036	376	setup_install.exe	46
PID 376 wrote to memory of 2036	376	setup_install.exe	46
PID 376 wrote to memory of 2036	376	setup_install.exe	46
PID 376 wrote to memory of 2036	376	setup_install.exe	46
PID 376 wrote to memory of 2036	376	setup_install.exe	46
PID 376 wrote to memory of 552	376	setup_install.exe	45
PID 376 wrote to memory of 552	376	setup_install.exe	45
PID 376 wrote to memory of 552	376	setup_install.exe	45
PID 376 wrote to memory of 552	376	setup_install.exe	45
PID 376 wrote to memory of 552	376	setup_install.exe	45
PID 376 wrote to memory of 552	376	setup_install.exe	45
PID 376 wrote to memory of 552	376	setup_install.exe	45
PID 928 wrote to memory of 1384	928	cmd.exe	33
PID 928 wrote to memory of 1384	928	cmd.exe	33
PID 928 wrote to memory of 1384	928	cmd.exe	33
PID 928 wrote to memory of 1384	928	cmd.exe	33
PID 928 wrote to memory of 1384	928	cmd.exe	33
PID 928 wrote to memory of 1384	928	cmd.exe	33
PID 928 wrote to memory of 1384	928	cmd.exe	33
PID 376 wrote to memory of 1896	376	setup_install.exe	44
PID 376 wrote to memory of 1896	376	setup_install.exe	44
PID 376 wrote to memory of 1896	376	setup_install.exe	44
PID 376 wrote to memory of 1896	376	setup_install.exe	44
PID 376 wrote to memory of 1896	376	setup_install.exe	44
PID 376 wrote to memory of 1896	376	setup_install.exe	44
PID 376 wrote to memory of 1896	376	setup_install.exe	44
PID 2036 wrote to memory of 860	2036	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\A56C0274E6EA9BD32141634A92052D91.exe
"C:\Users\Admin\AppData\Local\Temp\A56C0274E6EA9BD32141634A92052D91.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\7zS4B780E35\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS4B780E35\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Fri17f148864b7f11.exe
    3⤵
    PID:344
  - - C:\Users\Admin\AppData\Local\Temp\7zS4B780E35\Fri17f148864b7f11.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS4B780E35\Fri17f148864b7f11.exe"
      4⤵
      PID:964
  - - C:\Users\Admin\AppData\Local\Temp\7zS4B780E35\Fri17f148864b7f11.exe
      Fri17f148864b7f11.exe
      4⤵
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Fri17bbd34709019a06.exe
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Fri17384323b14.exe
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Fri17db701d83a67.exe
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Fri1743bf1fe022.exe
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Fri17523e6b49e.exe
    3⤵
    PID:552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Fri17c3ec4b03a0d8e6.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Fri17935370d9f965.exe
    3⤵
    PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Fri17e57b57304ad6467.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:928

C:\Users\Admin\AppData\Local\Temp\7zS4B780E35\Fri17e57b57304ad6467.exe
Fri17e57b57304ad6467.exe
1⤵
- Executes dropped EXE
PID:1384
- C:\Users\Admin\AppData\Local\Temp\7zS4B780E35\Fri17e57b57304ad6467.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS4B780E35\Fri17e57b57304ad6467.exe" -a
  2⤵
  PID:1528

C:\Users\Admin\AppData\Local\Temp\7zS4B780E35\Fri17db701d83a67.exe
Fri17db701d83a67.exe
1⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\7zS4B780E35\Fri1743bf1fe022.exe
Fri1743bf1fe022.exe
1⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\7zS4B780E35\Fri17c3ec4b03a0d8e6.exe
Fri17c3ec4b03a0d8e6.exe
1⤵
- Executes dropped EXE
PID:860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 960
  2⤵
  - Executes dropped EXE
  - Program crash
  PID:1804

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:1056
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/344-154-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/376-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/376-112-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/376-99-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/376-103-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/376-89-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/376-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/376-82-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/376-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/376-92-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/376-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/860-148-0x0000000003200000-0x000000000329D000-memory.dmp

Filesize
628KB

Download
memory/860-153-0x0000000000400000-0x0000000002D0E000-memory.dmp

Filesize
41.1MB

Download
memory/1804-172-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1972-59-0x0000000076A01000-0x0000000076A03000-memory.dmp

Filesize
8KB

Download
memory/2024-147-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download