vidar | bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4

General

Target

bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe
Size

679KB
MD5

f4a9c73c92501f4ada0ad74830610e11
SHA1

f5755ba5404a3fc467f850ff2dd01e6d9fd228fd
SHA256

bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4
SHA512

7eb7d62d729b2d2dbacd89d6f2a3d94f053ee0336a413fef76effd3a6b445e9f0877c931bfda11ac3624a0bb8ce09268fac4fb637b7d0ea128342a3d9ac80d7c

Score

10^/10

vidar 937 stealer

Malware Config

Extracted

Family

vidar

Version

48.4

Botnet

937

C2

https://koyu.space/@qmashton

Attributes

profile_id
937

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1916 created 5080 1916 WerFault.exe bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	process	target process
PID 1916 created 5080	1916	WerFault.exe	bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5080-131-0x00000000023D0000-0x00000000024A5000-memory.dmp	family_vidar
behavioral2/memory/5080-132-0x0000000000400000-0x00000000004D8000-memory.dmp	family_vidar

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

868 5080 WerFault.exe bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe

pid	pid_target	process	target process
868	5080	WerFault.exe	bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WerFault.exe

pid process

868 WerFault.exe
868 WerFault.exe

pid	process
868	WerFault.exe
868	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeRestorePrivilege	868	WerFault.exe
Token: SeBackupPrivilege	868	WerFault.exe
Token: SeShutdownPrivilege	1404	svchost.exe
Token: SeCreatePagefilePrivilege	1404	svchost.exe
Token: SeShutdownPrivilege	1404	svchost.exe
Token: SeCreatePagefilePrivilege	1404	svchost.exe
Token: SeShutdownPrivilege	1404	svchost.exe
Token: SeCreatePagefilePrivilege	1404	svchost.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WerFault.exe

description	pid	process	target process
PID 1916 wrote to memory of 5080	1916	WerFault.exe	bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe
PID 1916 wrote to memory of 5080	1916	WerFault.exe	bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe

C:\Users\Admin\AppData\Local\Temp\bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe
"C:\Users\Admin\AppData\Local\Temp\bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe"
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1008
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 5080 -ip 5080
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1404-133-0x000001D6E6330000-0x000001D6E637B000-memory.dmp

Filesize
300KB

Download
memory/1404-137-0x000001D6E6370000-0x000001D6E6380000-memory.dmp

Filesize
64KB

Download
memory/1404-138-0x000001D6E6390000-0x000001D6E63A0000-memory.dmp

Filesize
64KB

Download
memory/1404-139-0x000001D6E90B0000-0x000001D6E90B4000-memory.dmp

Filesize
16KB

Download
memory/5080-130-0x0000000002290000-0x000000000230B000-memory.dmp

Filesize
492KB

Download
memory/5080-131-0x00000000023D0000-0x00000000024A5000-memory.dmp

Filesize
852KB

Download
memory/5080-132-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads