vidar | 6c5cc4dd03315eb744f8ab77cec40bdf6fc24351471b7bb88700b31fb1cd4288

General

Target

eufive_20210919-061425.exe
Size

667KB
MD5

46302b8558c8536644e001148ef055c5
SHA1

ceb335a297300d9df123ece8287956ac2e4dc6f0
SHA256

6c5cc4dd03315eb744f8ab77cec40bdf6fc24351471b7bb88700b31fb1cd4288
SHA512

018c68bfa640eab464eb296b3a355c8ebc4e8b2bafd42e617b6c4d09bf80e0a28ce969e4dfa1cc8c931c7f66d91e215efb6a03ef85c93018404bb88cad4679c4

Score

10^/10

vidar 865 stealer

Malware Config

Extracted

Family

vidar

Version

40.7

Botnet

865

C2

https://petrenko96.tumblr.com/

Attributes

profile_id
865

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4280 created 3612 4280 WerFault.exe eufive_20210919-061425.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	process	target process
PID 4280 created 3612	4280	WerFault.exe	eufive_20210919-061425.exe

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3612-115-0x0000000000790000-0x0000000000864000-memory.dmp	family_vidar
behavioral2/memory/3612-116-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4280 3612 WerFault.exe eufive_20210919-061425.exe

pid	pid_target	process	target process
4280	3612	WerFault.exe	eufive_20210919-061425.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

eufive_20210919-061425.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	eufive_20210919-061425.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	eufive_20210919-061425.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
4280	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4280 WerFault.exe
Token: SeBackupPrivilege 4280 WerFault.exe
Token: SeDebugPrivilege 4280 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	4280	WerFault.exe
Token: SeBackupPrivilege	4280	WerFault.exe
Token: SeDebugPrivilege	4280	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\eufive_20210919-061425.exe
"C:\Users\Admin\AppData\Local\Temp\eufive_20210919-061425.exe"
1⤵
- Modifies system certificate store
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 920
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3612-115-0x0000000000790000-0x0000000000864000-memory.dmp

Filesize
848KB

Download
memory/3612-116-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads