vidar | 152c854e0e028eaa43bef46d7375d5704cf43f2c22a0354d7757e7cf5cdc3a89

General

Target

09ab0907323d5de77ebe2891813dc5d0.exe
Size

635KB
MD5

09ab0907323d5de77ebe2891813dc5d0
SHA1

edbee14a3f89d075e152013d48d8dd794d08c254
SHA256

152c854e0e028eaa43bef46d7375d5704cf43f2c22a0354d7757e7cf5cdc3a89
SHA512

1ab37e6af947694a2140c67d23b80121a23f742374c794bb47e5bae20ed46bbefb1ecf24a90d28f058140f1ccda693fdf90690c7090250c0dfa7c5bfc90269c9

Score

10^/10

vidar 1008 stealer

Malware Config

Extracted

Family

vidar

Version

41.3

Botnet

1008

C2

https://mas.to/@oleg98

Attributes

profile_id
1008

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1120-62-0x00000000002A0000-0x0000000000376000-memory.dmp	family_vidar
behavioral1/memory/1120-63-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

992 1120 WerFault.exe 09ab0907323d5de77ebe2891813dc5d0.exe

pid	pid_target	process	target process
992	1120	WerFault.exe	09ab0907323d5de77ebe2891813dc5d0.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

09ab0907323d5de77ebe2891813dc5d0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	09ab0907323d5de77ebe2891813dc5d0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	09ab0907323d5de77ebe2891813dc5d0.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

992 WerFault.exe
992 WerFault.exe
992 WerFault.exe
992 WerFault.exe
992 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

992 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 992 WerFault.exe

pid	process
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe

pid	process
992	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	992	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

09ab0907323d5de77ebe2891813dc5d0.exe

description	pid	process	target process
PID 1120 wrote to memory of 992	1120	09ab0907323d5de77ebe2891813dc5d0.exe	WerFault.exe
PID 1120 wrote to memory of 992	1120	09ab0907323d5de77ebe2891813dc5d0.exe	WerFault.exe
PID 1120 wrote to memory of 992	1120	09ab0907323d5de77ebe2891813dc5d0.exe	WerFault.exe
PID 1120 wrote to memory of 992	1120	09ab0907323d5de77ebe2891813dc5d0.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\09ab0907323d5de77ebe2891813dc5d0.exe
"C:\Users\Admin\AppData\Local\Temp\09ab0907323d5de77ebe2891813dc5d0.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 868
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/992-64-0x0000000000000000-mapping.dmp

Download
memory/992-65-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1120-60-0x0000000000958000-0x00000000009D5000-memory.dmp

Filesize
500KB

Download
memory/1120-61-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/1120-62-0x00000000002A0000-0x0000000000376000-memory.dmp

Filesize
856KB

Download
memory/1120-63-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads