vidar | 3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90

General

Target

3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
Size

56KB
MD5

52d5dab06aa1b976bb7c584b36f95c2d
SHA1

b5b3cdd6e1ac21f8382991240cac3d50af63f967
SHA256

3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90
SHA512

7aeaae80477fafc739a1fd3e98d2646af080a54bf8aa78d7c8ab38bef75577d59bd2b868c5d5d8e1108a0d3c4cc10dbe2fada31cf7073b89030526d619c29e9e

Score

10^/10

vidar 754 stealer

Malware Config

Extracted

Family

vidar

Version

48.1

Botnet

754

C2

https://koyu.space/@rspich

Attributes

profile_id
754

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1232-63-0x0000000000400000-0x00000000004D8000-memory.dmp	family_vidar
behavioral1/memory/1232-64-0x0000000000400000-0x00000000004D8000-memory.dmp	family_vidar
behavioral1/memory/1232-66-0x0000000000400000-0x00000000004D8000-memory.dmp	family_vidar

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

Processes:

3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe

description	pid	process	target process
PID 1180 set thread context of 1232	1180	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1800 1232 WerFault.exe 3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe

pid	pid_target	process	target process
1800	1232	WerFault.exe	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exeWerFault.exe

pid	process
1180	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
1180	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1180	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
Token: SeDebugPrivilege	1800	WerFault.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe

description	pid	process	target process
PID 1180 wrote to memory of 1232	1180	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
PID 1180 wrote to memory of 1232	1180	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
PID 1180 wrote to memory of 1232	1180	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
PID 1180 wrote to memory of 1232	1180	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
PID 1180 wrote to memory of 1232	1180	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
PID 1180 wrote to memory of 1232	1180	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
PID 1180 wrote to memory of 1232	1180	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
PID 1180 wrote to memory of 1232	1180	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
PID 1180 wrote to memory of 1232	1180	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
PID 1232 wrote to memory of 1800	1232	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe	WerFault.exe
PID 1232 wrote to memory of 1800	1232	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe	WerFault.exe
PID 1232 wrote to memory of 1800	1232	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe	WerFault.exe
PID 1232 wrote to memory of 1800	1232	3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
"C:\Users\Admin\AppData\Local\Temp\3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
C:\Users\Admin\AppData\Local\Temp\3d9b1ddce39d90bb1efa52a5f866f74ea8b9acb922ec27fb15b753e45c864c90.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 1300
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
2868731bbe2be1ccd68128c176ec428e

SHA1
952c1c8f797d3706aedb7558869be4268e1e30da

SHA256
ccf32533c1a6afa46f19f5fc433a0b42da2c79f7694dcda36593e2be33baa3e9

SHA512
18beef1455644032b5325ea457bb1dcf9be7d367bb1b4be3ff26b672af846f2dd0b5f04ee3ffe7e2da373db39ef1ba6e1c0046327df2523a524c381defd6cbe7

Download Submit
memory/1180-55-0x000000007445E000-0x000000007445F000-memory.dmp

Filesize
4KB

Download
memory/1180-56-0x0000000000230000-0x0000000000244000-memory.dmp

Filesize
80KB

Download
memory/1180-57-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/1180-58-0x0000000005860000-0x0000000005920000-memory.dmp

Filesize
768KB

Download
memory/1180-59-0x0000000005EF0000-0x0000000005F74000-memory.dmp

Filesize
528KB

Download
memory/1232-61-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1232-62-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1232-63-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1232-64-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1232-65-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1232-66-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1232-60-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1800-68-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads