vidar | ff4304e357cb5bfd79bb6f3b573298bdc348a19ba5fbb5250e54218e33a36593

Analysis

max time kernel
87s
max time network
148s
platform
windows10_x64
resource
win10-en
submitted
08-09-2021 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file5.exe
Size

1.7MB
MD5

a70b82151e35e0ff675745edeba1143f
SHA1

5e7e466b04782a33ade1c85bd5d18f2c181e2e28
SHA256

ff4304e357cb5bfd79bb6f3b573298bdc348a19ba5fbb5250e54218e33a36593
SHA512

f08038d4d1361acd3cfc983f12fab55390fc85970fda13709915a4d277a20d24dee14782ed571dbaf6bd9440500428167c607d9852d7071788edca593e741cf0

Score

10^/10

vidar 921 persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

40.5

Botnet

921

https://gheorghip.tumblr.com/

Attributes

profile_id
921

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1004-136-0x0000000000400000-0x00000000004D5000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Mie.exe.comMie.exe.comipconfig.exe

pid process

4044 Mie.exe.com
4284 Mie.exe.com
1004 ipconfig.exe
Drops startup file 1 IoCs

Processes:

Mie.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SFlSzEoGMT.url Mie.exe.com
Loads dropped DLL 2 IoCs

Processes:

ipconfig.exe

pid process

1004 ipconfig.exe
1004 ipconfig.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4044	Mie.exe.com
4284	Mie.exe.com
1004	ipconfig.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SFlSzEoGMT.url	Mie.exe.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Mie.exe.com

description pid process target process

PID 4284 set thread context of 1004 4284 Mie.exe.com ipconfig.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1040 1004 WerFault.exe ipconfig.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1004 ipconfig.exe

description	pid	process	target process
PID 4284 set thread context of 1004	4284	Mie.exe.com	ipconfig.exe

pid	pid_target	process	target process
1040	1004	WerFault.exe	ipconfig.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ipconfig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ipconfig.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4352 PING.EXE

pid	process
4352	PING.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

ipconfig.exeWerFault.exe

pid	process
1004	ipconfig.exe
1004	ipconfig.exe
1004	ipconfig.exe
1004	ipconfig.exe
1004	ipconfig.exe
1004	ipconfig.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Mie.exe.com

pid process

4284 Mie.exe.com
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1040 WerFault.exe
Token: SeBackupPrivilege 1040 WerFault.exe
Token: SeDebugPrivilege 1040 WerFault.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Mie.exe.comMie.exe.com

pid process

4044 Mie.exe.com
4044 Mie.exe.com
4044 Mie.exe.com
4284 Mie.exe.com
4284 Mie.exe.com
4284 Mie.exe.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Mie.exe.comMie.exe.com

pid process

4044 Mie.exe.com
4044 Mie.exe.com
4044 Mie.exe.com
4284 Mie.exe.com
4284 Mie.exe.com
4284 Mie.exe.com

pid	process
4284	Mie.exe.com

description	pid	process
Token: SeRestorePrivilege	1040	WerFault.exe
Token: SeBackupPrivilege	1040	WerFault.exe
Token: SeDebugPrivilege	1040	WerFault.exe

pid	process
4044	Mie.exe.com
4044	Mie.exe.com
4044	Mie.exe.com
4284	Mie.exe.com
4284	Mie.exe.com
4284	Mie.exe.com

pid	process
4044	Mie.exe.com
4044	Mie.exe.com
4044	Mie.exe.com
4284	Mie.exe.com
4284	Mie.exe.com
4284	Mie.exe.com

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

file5.execmd.execmd.exeMie.exe.comMie.exe.com

description	pid	process	target process
PID 4720 wrote to memory of 3004	4720	file5.exe	dllhost.exe
PID 4720 wrote to memory of 3004	4720	file5.exe	dllhost.exe
PID 4720 wrote to memory of 3004	4720	file5.exe	dllhost.exe
PID 4720 wrote to memory of 744	4720	file5.exe	cmd.exe
PID 4720 wrote to memory of 744	4720	file5.exe	cmd.exe
PID 4720 wrote to memory of 744	4720	file5.exe	cmd.exe
PID 744 wrote to memory of 3240	744	cmd.exe	cmd.exe
PID 744 wrote to memory of 3240	744	cmd.exe	cmd.exe
PID 744 wrote to memory of 3240	744	cmd.exe	cmd.exe
PID 3240 wrote to memory of 4052	3240	cmd.exe	findstr.exe
PID 3240 wrote to memory of 4052	3240	cmd.exe	findstr.exe
PID 3240 wrote to memory of 4052	3240	cmd.exe	findstr.exe
PID 3240 wrote to memory of 4044	3240	cmd.exe	Mie.exe.com
PID 3240 wrote to memory of 4044	3240	cmd.exe	Mie.exe.com
PID 3240 wrote to memory of 4044	3240	cmd.exe	Mie.exe.com
PID 3240 wrote to memory of 4352	3240	cmd.exe	PING.EXE
PID 3240 wrote to memory of 4352	3240	cmd.exe	PING.EXE
PID 3240 wrote to memory of 4352	3240	cmd.exe	PING.EXE
PID 4044 wrote to memory of 4284	4044	Mie.exe.com	Mie.exe.com
PID 4044 wrote to memory of 4284	4044	Mie.exe.com	Mie.exe.com
PID 4044 wrote to memory of 4284	4044	Mie.exe.com	Mie.exe.com
PID 4284 wrote to memory of 1004	4284	Mie.exe.com	ipconfig.exe
PID 4284 wrote to memory of 1004	4284	Mie.exe.com	ipconfig.exe
PID 4284 wrote to memory of 1004	4284	Mie.exe.com	ipconfig.exe
PID 4284 wrote to memory of 1004	4284	Mie.exe.com	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\file5.exe
"C:\Users\Admin\AppData\Local\Temp\file5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
2⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Col.aif
2⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^UhYfGpTuZrzSdFeMeNaCLTnviEufMXMBGeXCcrpOPaOzqZuKoyxOwRoqPBiweDxedSkhHmsZEDNattvoncuHDYmPUWNUViMkYMeiOSrJOcpnrPVKtZDGvNnaaczLMvrvRBxaegxFabToO$" Conquista.aif
4⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.com
Mie.exe.com E
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.com E
5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4284

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ipconfig.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ipconfig.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Gathers network information
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 1624
7⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\PING.EXE
ping localhost
4⤵
- Runs ping.exe
PID:4352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Col.aif
MD5
ba51b37953a5242fa78532267b987110

SHA1
c84898d36e8386a5ab974e49b9807aa278177475

SHA256
628ea32917a7f65391979714b29be37d68e6acacebb987739964a8363b308b3c

SHA512
ce5a1a4cecd50de2e882564386a8b80f6cb1004e9e1aaf76c6ea83a336ed5ff1cfbc564943377f9af46ca168b1ee0d2779d3bfbc3cc136ec5a2939ba969f2e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Conquista.aif
MD5
87f40306af562347d1b9b35f5d043d70

SHA1
012f318a2a3f95f624354bbca83b71e308d30896

SHA256
f89df2759f447f8d5513e5f6fd658cf0a9c56031058ae8c2099edad0f0a7140a

SHA512
ea5bf807cdc0f939a5977435d2e50e6a664756e06b1d1a3021d1744e9f1293b4918648ea12e7b9eb4eb8151197dc4d332c87b2e429e8ae168cd0e610bd4cb457

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\E
MD5
48cea2c9ef2802c9e2b43a7cecb69757

SHA1
e4c3f134e39172e5f8d1dde6a79c475343909cf6

SHA256
d5c1de681001952aba7e6fe2bc9cf626bfd45292c326ab58e59645a46d62c0f8

SHA512
f91257ddab48b6c15e065cebfabfd3738758a8d1a6a2d8fe8c31b1d6639a9ac370ed0ce63523e626979d4e91e5270dbac7c549a493e19906d5c40615a1368ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pel.aif
MD5
48cea2c9ef2802c9e2b43a7cecb69757

SHA1
e4c3f134e39172e5f8d1dde6a79c475343909cf6

SHA256
d5c1de681001952aba7e6fe2bc9cf626bfd45292c326ab58e59645a46d62c0f8

SHA512
f91257ddab48b6c15e065cebfabfd3738758a8d1a6a2d8fe8c31b1d6639a9ac370ed0ce63523e626979d4e91e5270dbac7c549a493e19906d5c40615a1368ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sai.aif
MD5
d185b3e6ef193d8b9ed2b77b59e9a16e

SHA1
74741df687b70f37f522456cee4e794477a743ac

SHA256
d2e62664555bf057f4f39dc833a8f3c2693d84b2527c7c42984859d4af300df1

SHA512
6521c141b285c617a8b2b97f21c25bc8af2dd534dd643712beaa045d50b76029a03538fdfcd6eb190d894a9bb0cc25802f4129066498b38939a0ffc31900bf11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ipconfig.exe
MD5
a69ba0e84d1a6b853acf752969d3f937

SHA1
ff1bee9468afc6c4ff82cba3f5ae13842ea07f0c

SHA256
01cbe910e5d343c25e9066ccc7f8777a79b0d3e210aa2fb7e4428ab259712469

SHA512
fd4fa4b978b746638bd847fce9dfa9bc9c0ab5c91fb989e9aeea147a4a35e2326586ec04d80bdab6b21d06b2f41e870e9f588aeca27fc3473e3fca0973e60eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ipconfig.exe
MD5
a69ba0e84d1a6b853acf752969d3f937

SHA1
ff1bee9468afc6c4ff82cba3f5ae13842ea07f0c

SHA256
01cbe910e5d343c25e9066ccc7f8777a79b0d3e210aa2fb7e4428ab259712469

SHA512
fd4fa4b978b746638bd847fce9dfa9bc9c0ab5c91fb989e9aeea147a4a35e2326586ec04d80bdab6b21d06b2f41e870e9f588aeca27fc3473e3fca0973e60eca

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/744-116-0x0000000000000000-mapping.dmp

Download
memory/1004-131-0x000000000049EC7D-mapping.dmp

Download
memory/1004-136-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3004-115-0x0000000000000000-mapping.dmp

Download
memory/3240-118-0x0000000000000000-mapping.dmp

Download
memory/4044-122-0x0000000000000000-mapping.dmp

Download
memory/4052-119-0x0000000000000000-mapping.dmp

Download
memory/4284-135-0x0000000001AD0000-0x0000000001AD2000-memory.dmp

Filesize
8KB

Download
memory/4284-130-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

Filesize
4KB

Download
memory/4284-126-0x0000000000000000-mapping.dmp

Download
memory/4352-124-0x0000000000000000-mapping.dmp

Download