vidar | 5b2fce91cda0fa71818a683c57c88eb1533b70bcfb5e82b312757b3015d69801

Analysis

max time kernel
144s
max time network
149s
platform
windows10_x64
resource
win10v20210408
submitted
23-09-2021 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b2fce91cda0fa71818a683c57c88eb1533b70bcfb5e82b312757b3015d69801.exe
Size

1.5MB
MD5

43ecb980e6e1db8f394af5b6d065eba6
SHA1

36e05d72b5a9efd3e5283d46fb42f0d6204f2ed3
SHA256

5b2fce91cda0fa71818a683c57c88eb1533b70bcfb5e82b312757b3015d69801
SHA512

34062ccbb04992ee177cade1e218b608573fa9c2f0a073960aec3ea34b7140707127829f123fb3af7d7fd1448fc4d2a5958f9bf31833bf7047ff3d3271ecd04b

Score

10^/10

vidar 1013 spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

1013

https://mas.to/@killern0

Attributes

profile_id
1013

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 580 created 808	580	WerFault.exe	67

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/808-116-0x0000000000400000-0x000000000057E000-memory.dmp	family_vidar
behavioral1/memory/808-115-0x0000000002A70000-0x0000000002B8B000-memory.dmp	family_vidar

Downloads MZ/PE file

Loads dropped DLL 2 IoCs

pid	Process
808	5b2fce91cda0fa71818a683c57c88eb1533b70bcfb5e82b312757b3015d69801.exe
808	5b2fce91cda0fa71818a683c57c88eb1533b70bcfb5e82b312757b3015d69801.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Program crash 15 IoCs

pid	pid_target	Process	procid_target
1180	808	WerFault.exe	67
1336	808	WerFault.exe	67
1460	808	WerFault.exe	67
1716	808	WerFault.exe	67
1948	808	WerFault.exe	67
2168	808	WerFault.exe	67
2384	808	WerFault.exe	67
2616	808	WerFault.exe	67
2720	808	WerFault.exe	67
2740	808	WerFault.exe	67
3552	808	WerFault.exe	67
3980	808	WerFault.exe	67
3184	808	WerFault.exe	67
500	808	WerFault.exe	67
580	808	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1180	WerFault.exe
1180	WerFault.exe
1180	WerFault.exe
1180	WerFault.exe
1180	WerFault.exe
1180	WerFault.exe
1180	WerFault.exe
1180	WerFault.exe
1180	WerFault.exe
1180	WerFault.exe
1180	WerFault.exe
1180	WerFault.exe
1180	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeRestorePrivilege	1180	WerFault.exe
Token: SeBackupPrivilege	1180	WerFault.exe
Token: SeDebugPrivilege	1180	WerFault.exe
Token: SeDebugPrivilege	1336	WerFault.exe
Token: SeDebugPrivilege	1460	WerFault.exe
Token: SeDebugPrivilege	1716	WerFault.exe
Token: SeDebugPrivilege	1948	WerFault.exe
Token: SeDebugPrivilege	2168	WerFault.exe
Token: SeDebugPrivilege	2384	WerFault.exe
Token: SeDebugPrivilege	2616	WerFault.exe
Token: SeDebugPrivilege	2720	WerFault.exe
Token: SeDebugPrivilege	2740	WerFault.exe
Token: SeDebugPrivilege	3552	WerFault.exe
Token: SeDebugPrivilege	3980	WerFault.exe
Token: SeDebugPrivilege	3184	WerFault.exe
Token: SeDebugPrivilege	500	WerFault.exe
Token: SeDebugPrivilege	580	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5b2fce91cda0fa71818a683c57c88eb1533b70bcfb5e82b312757b3015d69801.exe
"C:\Users\Admin\AppData\Local\Temp\5b2fce91cda0fa71818a683c57c88eb1533b70bcfb5e82b312757b3015d69801.exe"
1⤵
- Loads dropped DLL
PID:808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 780
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 920
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1044
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1212
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1512
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1708
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1680
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1728
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1476
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1484
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1760
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1760
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1728
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1784
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1692
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/808-114-0x0000000000690000-0x00000000007DA000-memory.dmp

Filesize
1.3MB

Download
memory/808-116-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/808-115-0x0000000002A70000-0x0000000002B8B000-memory.dmp

Filesize
1.1MB

Download