vidar | 532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a

General

Target

532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe
Size

858KB
MD5

d305c0176dc9a1f3daf516e6034f2b57
SHA1

87faa41997ee2187247d117081d46284193fabda
SHA256

532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a
SHA512

8f7ca5e48f4f21d8429d0719caa6dd705d74c466392c1e91d372915aa8e4855789cd288d94567a59d301cc7335e55c8e0836b3280199ee9001149ab6b36a0a8e

Score

10^/10

vidar discovery spyware stealer suricata

Malware Config

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

0HO018CL5PMY1CLE.exe

pid process

32 0HO018CL5PMY1CLE.exe

pid	process
32	0HO018CL5PMY1CLE.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe

Loads dropped DLL 2 IoCs

Processes:

532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe

pid	process
1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe
1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotification.exe532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotification.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotification.exe

NTFS ADS 2 IoCs

Processes:

532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe

description	ioc	process
File created	C:\ProgramData\0HO018CL5PMY1CLE.exe:Zone.Identifier	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe
File opened for modification	C:\ProgramData\0HO018CL5PMY1CLE.exe:Zone.Identifier	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe

pid	process
1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe
1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe
1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe
1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe
1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe
1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe
1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe
1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MusNotification.exe

description pid process

Token: SeShutdownPrivilege 2512 MusNotification.exe
Token: SeCreatePagefilePrivilege 2512 MusNotification.exe

description	pid	process
Token: SeShutdownPrivilege	2512	MusNotification.exe
Token: SeCreatePagefilePrivilege	2512	MusNotification.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe

description	pid	process	target process
PID 1452 wrote to memory of 32	1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe	0HO018CL5PMY1CLE.exe
PID 1452 wrote to memory of 32	1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe	0HO018CL5PMY1CLE.exe
PID 1452 wrote to memory of 32	1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe	0HO018CL5PMY1CLE.exe
PID 1452 wrote to memory of 3008	1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe	cmd.exe
PID 1452 wrote to memory of 3008	1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe	cmd.exe
PID 1452 wrote to memory of 3008	1452	532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe
"C:\Users\Admin\AppData\Local\Temp\532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1452
- C:\ProgramData\0HO018CL5PMY1CLE.exe
  "C:\ProgramData\0HO018CL5PMY1CLE.exe"
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im 532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\532bc078a68683ce70cb765191a128fadee2a23180b1a8e8a16b72f1a8ee291a.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:3008

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\0HO018CL5PMY1CLE.exe

MD5
3f20329a1a2b2334579c215af2a6e2be

SHA1
0c4430dbfb710175df15699d83de38659cb4911b

SHA256
360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef

SHA512
78dd12b49b07ba53635179f8156c4ee132a5cc98136ac05707bc147308f3a5fffc65d38ae8ccb50cdd1b2f86e8cafb906cd856cf8a44ad5bf037ef9ec3be2261

Download Submit
C:\ProgramData\0HO018CL5PMY1CLE.exe

MD5
3f20329a1a2b2334579c215af2a6e2be

SHA1
0c4430dbfb710175df15699d83de38659cb4911b

SHA256
360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef

SHA512
78dd12b49b07ba53635179f8156c4ee132a5cc98136ac05707bc147308f3a5fffc65d38ae8ccb50cdd1b2f86e8cafb906cd856cf8a44ad5bf037ef9ec3be2261

Download Submit
C:\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/32-132-0x0000000000000000-mapping.dmp

Download
memory/3008-135-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads