vidar | ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d

Analysis

max time kernel
144s
max time network
147s
platform
windows10_x64
resource
win10-en-20210920
submitted
27-09-2021 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
Size

1.5MB
MD5

10f2cc4211abbe1c14de7f5f9f875535
SHA1

db4f00bedb52ec5c9460cf863418f289ad0c292b
SHA256

ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d
SHA512

2de9496ce7c5ebee94cee10ae2996974759ae71da28f234011793905d17c275a4c5a5b7b018e1a0eba94ea72e29ba36677b4f23f6246c22d1a97274d2c17a4db

Score

10^/10

vidar spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4456 created 3800 4456 WerFault.exe ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	process	target process
PID 4456 created 3800	4456	WerFault.exe	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/3800-117-0x0000000000400000-0x000000000057E000-memory.dmp	family_vidar
behavioral1/memory/3800-116-0x0000000002A70000-0x0000000002B8B000-memory.dmp	family_vidar

Downloads MZ/PE file

Loads dropped DLL 2 IoCs

Processes:

ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe

pid	process
3800	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
3800	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4200	3800	WerFault.exe	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
752	3800	WerFault.exe	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
4372	3800	WerFault.exe	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
4088	3800	WerFault.exe	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
1540	3800	WerFault.exe	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
4392	3800	WerFault.exe	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
4420	3800	WerFault.exe	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
4396	3800	WerFault.exe	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
1840	3800	WerFault.exe	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
4532	3800	WerFault.exe	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
4584	3800	WerFault.exe	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
4500	3800	WerFault.exe	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
4456	3800	WerFault.exe	ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
4200	WerFault.exe
4200	WerFault.exe
4200	WerFault.exe
4200	WerFault.exe
4200	WerFault.exe
4200	WerFault.exe
4200	WerFault.exe
4200	WerFault.exe
4200	WerFault.exe
4200	WerFault.exe
4200	WerFault.exe
4200	WerFault.exe
4200	WerFault.exe
4200	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	4200	WerFault.exe
Token: SeBackupPrivilege	4200	WerFault.exe
Token: SeDebugPrivilege	4200	WerFault.exe
Token: SeDebugPrivilege	752	WerFault.exe
Token: SeDebugPrivilege	4372	WerFault.exe
Token: SeDebugPrivilege	4088	WerFault.exe
Token: SeDebugPrivilege	1540	WerFault.exe
Token: SeDebugPrivilege	4392	WerFault.exe
Token: SeDebugPrivilege	4420	WerFault.exe
Token: SeDebugPrivilege	4396	WerFault.exe
Token: SeDebugPrivilege	1840	WerFault.exe
Token: SeDebugPrivilege	4532	WerFault.exe
Token: SeDebugPrivilege	4584	WerFault.exe
Token: SeDebugPrivilege	4500	WerFault.exe
Token: SeDebugPrivilege	4456	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe
"C:\Users\Admin\AppData\Local\Temp\ea9265755d728129e8ef4f75be1e469c736e00d56855efc83e51bff2f6e1cb6d.exe"
1⤵
- Loads dropped DLL
PID:3800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 920
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1056
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1068
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1496
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1496
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1708
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1416
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1812
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1848
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1832
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1908
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1768
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1492
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/3800-115-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/3800-117-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3800-116-0x0000000002A70000-0x0000000002B8B000-memory.dmp

Filesize
1.1MB

Download