vidar | 6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909

Analysis

max time kernel
149s
max time network
152s
platform
windows10_x64
resource
win10-en-20210920
submitted
27-09-2021 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
Size

1.5MB
MD5

b2636a5d25142f4c2d6dd77725b86668
SHA1

d159a0189889d632d49926d3a7174f1e7646d080
SHA256

6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909
SHA512

ce4ed3f295a7578438e0da1aabbabe5caea5ded83bd5f10a8ccd1f9fb93d9bde68f7417d36666aeffd36df4ba0430cc46572cf6be53b7177bccbcc7269ec6c1f

Score

10^/10

vidar spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3736 created 2384 3736 WerFault.exe 6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	process	target process
PID 3736 created 2384	3736	WerFault.exe	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2384-116-0x00000000029E0000-0x0000000002AFB000-memory.dmp	family_vidar
behavioral1/memory/2384-117-0x0000000000400000-0x000000000057E000-memory.dmp	family_vidar

Downloads MZ/PE file

Loads dropped DLL 2 IoCs

Processes:

6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe

pid	process
2384	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
2384	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2748	2384	WerFault.exe	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
3804	2384	WerFault.exe	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
992	2384	WerFault.exe	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
4080	2384	WerFault.exe	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
4024	2384	WerFault.exe	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
848	2384	WerFault.exe	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
1292	2384	WerFault.exe	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
932	2384	WerFault.exe	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
2340	2384	WerFault.exe	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
904	2384	WerFault.exe	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
1032	2384	WerFault.exe	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
4008	2384	WerFault.exe	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
3736	2384	WerFault.exe	6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4024	WerFault.exe
4024	WerFault.exe
4024	WerFault.exe
4024	WerFault.exe
4024	WerFault.exe
4024	WerFault.exe
4024	WerFault.exe
4024	WerFault.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	2748	WerFault.exe
Token: SeBackupPrivilege	2748	WerFault.exe
Token: SeDebugPrivilege	2748	WerFault.exe
Token: SeDebugPrivilege	3804	WerFault.exe
Token: SeDebugPrivilege	992	WerFault.exe
Token: SeDebugPrivilege	4080	WerFault.exe
Token: SeDebugPrivilege	4024	WerFault.exe
Token: SeDebugPrivilege	848	WerFault.exe
Token: SeDebugPrivilege	1292	WerFault.exe
Token: SeDebugPrivilege	932	WerFault.exe
Token: SeDebugPrivilege	2340	WerFault.exe
Token: SeDebugPrivilege	904	WerFault.exe
Token: SeDebugPrivilege	1032	WerFault.exe
Token: SeDebugPrivilege	4008	WerFault.exe
Token: SeDebugPrivilege	3736	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe
"C:\Users\Admin\AppData\Local\Temp\6b83e9bcd24ef0fbce4de5bd13c00128ded16edd396b38cae7b81282c371b909.exe"
1⤵
- Loads dropped DLL
PID:2384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 920
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1056
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1020
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1492
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1468
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1220
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1484
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1672
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1220
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1424
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1708
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1632
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1748
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/2384-115-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/2384-116-0x00000000029E0000-0x0000000002AFB000-memory.dmp

Filesize
1.1MB

Download
memory/2384-117-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download