vidar | 22d5d59d54369797b47fb086e329d72d65f98bd679977370ddb24118815f311b

General

Target

41ed34b70460e1eb3b561fbc89b65052.exe
Size

567KB
MD5

41ed34b70460e1eb3b561fbc89b65052
SHA1

a5def1d5bf16265f8a828dd4b1e9c2deede4e3c1
SHA256

22d5d59d54369797b47fb086e329d72d65f98bd679977370ddb24118815f311b
SHA512

03cc6e74afc17bfbc54d9284d84c3b0d33f1d615cd7214aa6fabddb42579e30d9117aeaa88c3e8fdb56a9d6438eb1fdd7c00af9c0ebb730619ee19b6f34dbf60

Score

10^/10

vidar 921 stealer

Malware Config

Extracted

Family

vidar

Version

41.5

Botnet

921

C2

https://mas.to/@xeroxxx

Attributes

profile_id
921

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\build.exe	family_vidar
C:\Users\Admin\AppData\Local\Temp\build.exe	family_vidar
\Users\Admin\AppData\Local\Temp\build.exe	family_vidar
\Users\Admin\AppData\Local\Temp\build.exe	family_vidar
\Users\Admin\AppData\Local\Temp\build.exe	family_vidar
\Users\Admin\AppData\Local\Temp\build.exe	family_vidar

Executes dropped EXE 1 IoCs

Processes:

build.exe

pid process

1400 build.exe
Loads dropped DLL 4 IoCs

Processes:

WerFault.exe

pid process

1660 WerFault.exe
1660 WerFault.exe
1660 WerFault.exe
1660 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1660 1400 WerFault.exe build.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1660 WerFault.exe
1660 WerFault.exe
1660 WerFault.exe
1660 WerFault.exe
1660 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1660 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1660 WerFault.exe

pid	process
1400	build.exe

pid	process
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe

pid	pid_target	process	target process
1660	1400	WerFault.exe	build.exe

pid	process
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe

pid	process
1660	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1660	WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

41ed34b70460e1eb3b561fbc89b65052.exebuild.exe

description	pid	process	target process
PID 1624 wrote to memory of 1400	1624	41ed34b70460e1eb3b561fbc89b65052.exe	build.exe
PID 1624 wrote to memory of 1400	1624	41ed34b70460e1eb3b561fbc89b65052.exe	build.exe
PID 1624 wrote to memory of 1400	1624	41ed34b70460e1eb3b561fbc89b65052.exe	build.exe
PID 1624 wrote to memory of 1400	1624	41ed34b70460e1eb3b561fbc89b65052.exe	build.exe
PID 1400 wrote to memory of 1660	1400	build.exe	WerFault.exe
PID 1400 wrote to memory of 1660	1400	build.exe	WerFault.exe
PID 1400 wrote to memory of 1660	1400	build.exe	WerFault.exe
PID 1400 wrote to memory of 1660	1400	build.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\41ed34b70460e1eb3b561fbc89b65052.exe
"C:\Users\Admin\AppData\Local\Temp\41ed34b70460e1eb3b561fbc89b65052.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 864
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\build.exe
MD5
eafba1017e94765780d8a5b182d4c325

SHA1
7968d32aa44d2c66dc670841d86ef8dba376128f

SHA256
0d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3

SHA512
31ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
MD5
eafba1017e94765780d8a5b182d4c325

SHA1
7968d32aa44d2c66dc670841d86ef8dba376128f

SHA256
0d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3

SHA512
31ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
MD5
eafba1017e94765780d8a5b182d4c325

SHA1
7968d32aa44d2c66dc670841d86ef8dba376128f

SHA256
0d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3

SHA512
31ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
MD5
eafba1017e94765780d8a5b182d4c325

SHA1
7968d32aa44d2c66dc670841d86ef8dba376128f

SHA256
0d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3

SHA512
31ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
MD5
eafba1017e94765780d8a5b182d4c325

SHA1
7968d32aa44d2c66dc670841d86ef8dba376128f

SHA256
0d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3

SHA512
31ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
MD5
eafba1017e94765780d8a5b182d4c325

SHA1
7968d32aa44d2c66dc670841d86ef8dba376128f

SHA256
0d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3

SHA512
31ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa

Download Submit
memory/1400-61-0x0000000076B61000-0x0000000076B63000-memory.dmp

Filesize
8KB

Download
memory/1400-59-0x0000000000000000-mapping.dmp

Download
memory/1624-54-0x000000013F530000-0x000000013F531000-memory.dmp

Filesize
4KB

Download
memory/1624-58-0x0000000002420000-0x0000000002422000-memory.dmp

Filesize
8KB

Download
memory/1624-57-0x000000001B560000-0x000000001B5D8000-memory.dmp

Filesize
480KB

Download
memory/1624-56-0x0000000002570000-0x00000000026AD000-memory.dmp

Filesize
1.2MB

Download
memory/1660-62-0x0000000000000000-mapping.dmp

Download
memory/1660-68-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing