vidar | fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-06-2022 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe
Size

2.8MB
MD5

42dfab1fc3e86efb33605a188238785f
SHA1

2143d6fc6f94dca174ceed7a2ea9af40f7a73408
SHA256

fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e
SHA512

ff06aae357ee661c5d18fd66020f20d5d5891faff803a31cb98757015f37e1fbe373a7778064b6e03d9389638d0c42701806175e0ec78506f653c83957c2f0d1

Score

10^/10

vidar 539 discovery evasion spyware stealer suricata themida trojan

Malware Config

Extracted

Family

vidar

Version

25.3

Botnet

539

http://rattlesnakespr.com/

Attributes

profile_id
539

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3540-133-0x0000000000400000-0x0000000000AFA000-memory.dmp	family_vidar
behavioral2/memory/3540-134-0x0000000000400000-0x0000000000AFA000-memory.dmp	family_vidar

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3540-130-0x0000000000400000-0x0000000000AFA000-memory.dmp	themida
behavioral2/memory/3540-132-0x0000000000400000-0x0000000000AFA000-memory.dmp	themida
behavioral2/memory/3540-133-0x0000000000400000-0x0000000000AFA000-memory.dmp	themida
behavioral2/memory/3540-134-0x0000000000400000-0x0000000000AFA000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe

pid process

3540 fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe

flow	ioc
7	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe

pid	process
3540	fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe
3540	fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe
3540	fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe
3540	fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe
3540	fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe
3540	fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe
3540	fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe
3540	fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe

C:\Users\Admin\AppData\Local\Temp\fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe
"C:\Users\Admin\AppData\Local\Temp\fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3540-130-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3540-131-0x0000000077780000-0x0000000077923000-memory.dmp

Filesize
1.6MB

Download
memory/3540-132-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3540-133-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3540-134-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3540-135-0x0000000077780000-0x0000000077923000-memory.dmp

Filesize
1.6MB

Download