vidar | cdd1ac2ccf205bcc0e8fecb0b117b809fcade0fcc0eba5f6b85a5dfc88443344

General

Target

5e968b323d6dc7777a4eb797c8b99ac1.exe
Size

1.1MB
MD5

5e968b323d6dc7777a4eb797c8b99ac1
SHA1

c427a514f70410dba47e5799f23bd511ce39ec14
SHA256

cdd1ac2ccf205bcc0e8fecb0b117b809fcade0fcc0eba5f6b85a5dfc88443344
SHA512

fb17586b212cfc95f0ddddda81530e3ca79c47ff5545889b77ffa8b1a555319958bf5f310a9fd8efaa23cae29cc6caaf6b1a3dc5fac8bf87249b2b2be4b74616

Score

10^/10

vidar 921 stealer

Malware Config

Extracted

Family

vidar

Version

41.3

Botnet

921

C2

https://mas.to/@oleg98

Attributes

profile_id
921

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 7 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1324-56-0x000000001A880000-0x000000001A958000-memory.dmp	family_vidar
C:\ProgramData\build.exe	family_vidar
C:\ProgramData\build.exe	family_vidar
\ProgramData\build.exe	family_vidar
\ProgramData\build.exe	family_vidar
\ProgramData\build.exe	family_vidar
\ProgramData\build.exe	family_vidar

Executes dropped EXE 1 IoCs

Processes:

build.exe

pid process

268 build.exe
Loads dropped DLL 4 IoCs

Processes:

WerFault.exe

pid process

1396 WerFault.exe
1396 WerFault.exe
1396 WerFault.exe
1396 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1396 268 WerFault.exe build.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1396 WerFault.exe
1396 WerFault.exe
1396 WerFault.exe
1396 WerFault.exe
1396 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1396 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1396 WerFault.exe

pid	process
268	build.exe

pid	process
1396	WerFault.exe
1396	WerFault.exe
1396	WerFault.exe
1396	WerFault.exe

pid	pid_target	process	target process
1396	268	WerFault.exe	build.exe

pid	process
1396	WerFault.exe
1396	WerFault.exe
1396	WerFault.exe
1396	WerFault.exe
1396	WerFault.exe

pid	process
1396	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1396	WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5e968b323d6dc7777a4eb797c8b99ac1.exebuild.exe

description	pid	process	target process
PID 1324 wrote to memory of 268	1324	5e968b323d6dc7777a4eb797c8b99ac1.exe	build.exe
PID 1324 wrote to memory of 268	1324	5e968b323d6dc7777a4eb797c8b99ac1.exe	build.exe
PID 1324 wrote to memory of 268	1324	5e968b323d6dc7777a4eb797c8b99ac1.exe	build.exe
PID 1324 wrote to memory of 268	1324	5e968b323d6dc7777a4eb797c8b99ac1.exe	build.exe
PID 268 wrote to memory of 1396	268	build.exe	WerFault.exe
PID 268 wrote to memory of 1396	268	build.exe	WerFault.exe
PID 268 wrote to memory of 1396	268	build.exe	WerFault.exe
PID 268 wrote to memory of 1396	268	build.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5e968b323d6dc7777a4eb797c8b99ac1.exe
"C:\Users\Admin\AppData\Local\Temp\5e968b323d6dc7777a4eb797c8b99ac1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\ProgramData\build.exe
"C:\ProgramData\build.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 860
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\build.exe
MD5
b05de2393095aedd4594b4ac3ec90f0f

SHA1
94e9156c52103173b51dc9227539fcb77eb3e7e8

SHA256
8cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851

SHA512
b8ee3d265becf02a3beff19d469a74c3c6321efcc65a835c2daf0ae72878ca372884f3a12196e444b207fc1b99d4221e72111e9afa2ac9e704b5d13a2dbb1290

Download Submit
C:\ProgramData\build.exe
MD5
b05de2393095aedd4594b4ac3ec90f0f

SHA1
94e9156c52103173b51dc9227539fcb77eb3e7e8

SHA256
8cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851

SHA512
b8ee3d265becf02a3beff19d469a74c3c6321efcc65a835c2daf0ae72878ca372884f3a12196e444b207fc1b99d4221e72111e9afa2ac9e704b5d13a2dbb1290

Download Submit
\ProgramData\build.exe
MD5
b05de2393095aedd4594b4ac3ec90f0f

SHA1
94e9156c52103173b51dc9227539fcb77eb3e7e8

SHA256
8cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851

SHA512
b8ee3d265becf02a3beff19d469a74c3c6321efcc65a835c2daf0ae72878ca372884f3a12196e444b207fc1b99d4221e72111e9afa2ac9e704b5d13a2dbb1290

Download Submit
\ProgramData\build.exe
MD5
b05de2393095aedd4594b4ac3ec90f0f

SHA1
94e9156c52103173b51dc9227539fcb77eb3e7e8

SHA256
8cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851

SHA512
b8ee3d265becf02a3beff19d469a74c3c6321efcc65a835c2daf0ae72878ca372884f3a12196e444b207fc1b99d4221e72111e9afa2ac9e704b5d13a2dbb1290

Download Submit
\ProgramData\build.exe
MD5
b05de2393095aedd4594b4ac3ec90f0f

SHA1
94e9156c52103173b51dc9227539fcb77eb3e7e8

SHA256
8cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851

SHA512
b8ee3d265becf02a3beff19d469a74c3c6321efcc65a835c2daf0ae72878ca372884f3a12196e444b207fc1b99d4221e72111e9afa2ac9e704b5d13a2dbb1290

Download Submit
\ProgramData\build.exe
MD5
b05de2393095aedd4594b4ac3ec90f0f

SHA1
94e9156c52103173b51dc9227539fcb77eb3e7e8

SHA256
8cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851

SHA512
b8ee3d265becf02a3beff19d469a74c3c6321efcc65a835c2daf0ae72878ca372884f3a12196e444b207fc1b99d4221e72111e9afa2ac9e704b5d13a2dbb1290

Download Submit
memory/268-57-0x0000000000000000-mapping.dmp

Download
memory/268-59-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/1324-56-0x000000001A880000-0x000000001A958000-memory.dmp

Filesize
864KB

Download
memory/1324-60-0x000000001B9A0000-0x000000001B9A2000-memory.dmp

Filesize
8KB

Download
memory/1324-55-0x000000001C030000-0x000000001C1AA000-memory.dmp

Filesize
1.5MB

Download
memory/1324-53-0x000000013F0F0000-0x000000013F0F1000-memory.dmp

Filesize
4KB

Download
memory/1396-61-0x0000000000000000-mapping.dmp

Download
memory/1396-67-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing