vidar | 332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15

General

Target

332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
Size

1.5MB
MD5

584f45058842b22805828df76bd94956
SHA1

a343399d9313bf47be11cbd6fc063637bf8ef5fb
SHA256

332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15
SHA512

50f80ad5b8980a4689d82d04accd7ca523b3d0e14bfbb8f798d756e0c71cf7b6210ca30bbbbac20cd9be5e245191695df6c2432e913de980f6a25157e6eed313

Score

10^/10

vidar spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 700 created 1108 700 WerFault.exe 332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	process	target process
PID 700 created 1108	700	WerFault.exe	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1108-115-0x00000000028C0000-0x00000000029DB000-memory.dmp	family_vidar
behavioral1/memory/1108-116-0x0000000000400000-0x000000000057E000-memory.dmp	family_vidar

Downloads MZ/PE file

Loads dropped DLL 2 IoCs

Processes:

332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe

pid	process
1108	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
1108	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1344	1108	WerFault.exe	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
1488	1108	WerFault.exe	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
1672	1108	WerFault.exe	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
2044	1108	WerFault.exe	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
2192	1108	WerFault.exe	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
2492	1108	WerFault.exe	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
2616	1108	WerFault.exe	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
2816	1108	WerFault.exe	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
3872	1108	WerFault.exe	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
4032	1108	WerFault.exe	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
4060	1108	WerFault.exe	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
4052	1108	WerFault.exe	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
700	1108	WerFault.exe	332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	1344	WerFault.exe
Token: SeBackupPrivilege	1344	WerFault.exe
Token: SeDebugPrivilege	1344	WerFault.exe
Token: SeDebugPrivilege	1488	WerFault.exe
Token: SeDebugPrivilege	1672	WerFault.exe
Token: SeDebugPrivilege	2044	WerFault.exe
Token: SeDebugPrivilege	2192	WerFault.exe
Token: SeDebugPrivilege	2492	WerFault.exe
Token: SeDebugPrivilege	2616	WerFault.exe
Token: SeDebugPrivilege	2816	WerFault.exe
Token: SeDebugPrivilege	3872	WerFault.exe
Token: SeDebugPrivilege	4032	WerFault.exe
Token: SeDebugPrivilege	4060	WerFault.exe
Token: SeDebugPrivilege	4052	WerFault.exe
Token: SeDebugPrivilege	700	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
"C:\Users\Admin\AppData\Local\Temp\332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe"
1⤵
- Loads dropped DLL
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 916
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1012
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1212
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1480
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1708
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1712
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1624
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1744
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1664
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1744
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1720
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1700
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1624
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/1108-114-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1108-115-0x00000000028C0000-0x00000000029DB000-memory.dmp

Filesize
1.1MB

Download
memory/1108-116-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads