vidar | 3519c802164ad7fbb26b86834083ecc83039f05fdd2915a8e54091461629b08a

General

Target

6FBF058C7A5C8B8889B6D3B043C956E3.exe
Size

5.4MB
MD5

6fbf058c7a5c8b8889b6d3b043c956e3
SHA1

4019f8bbeb202b7fc0a8c4647ada383139c0f02c
SHA256

3519c802164ad7fbb26b86834083ecc83039f05fdd2915a8e54091461629b08a
SHA512

a3547f66fc7f52a7f75fd69f4cf80a9c4aa8ff02b62d6d862d08b0a6057e6d95a7b5bbaac21c0cb33708e668a7c9fe5a6820bd031bc08725964474a6a4d00ec1
SSDEEP

98304:ZaURnsjfaRQghRWff5j/R0UMz/R0UMr/R0UMw/R0UM0:ZznsjfsvQBD2UMT2UMb2UMA2UM0

Score

10^/10

vidar 1636 stealer

Malware Config

Extracted

Family

vidar

Version

55

Botnet

1636

C2

https://t.me/dghzq

https://t.me/zjsqpz

https://t.me/fqwexzq

Attributes

profile_id
1636

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Executes dropped EXE 2 IoCs

pid	Process
2040	R4CE9-82A5-E8F6D7A.exe
276	R4CE9-82A5-E8F6D7A.exe

Loads dropped DLL 2 IoCs

pid	Process
1204	6FBF058C7A5C8B8889B6D3B043C956E3.exe
1204	6FBF058C7A5C8B8889B6D3B043C956E3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 276	2040	R4CE9-82A5-E8F6D7A.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2040	1204	6FBF058C7A5C8B8889B6D3B043C956E3.exe	28
PID 1204 wrote to memory of 2040	1204	6FBF058C7A5C8B8889B6D3B043C956E3.exe	28
PID 1204 wrote to memory of 2040	1204	6FBF058C7A5C8B8889B6D3B043C956E3.exe	28
PID 1204 wrote to memory of 2040	1204	6FBF058C7A5C8B8889B6D3B043C956E3.exe	28
PID 2040 wrote to memory of 276	2040	R4CE9-82A5-E8F6D7A.exe	29
PID 2040 wrote to memory of 276	2040	R4CE9-82A5-E8F6D7A.exe	29
PID 2040 wrote to memory of 276	2040	R4CE9-82A5-E8F6D7A.exe	29
PID 2040 wrote to memory of 276	2040	R4CE9-82A5-E8F6D7A.exe	29
PID 2040 wrote to memory of 276	2040	R4CE9-82A5-E8F6D7A.exe	29
PID 2040 wrote to memory of 276	2040	R4CE9-82A5-E8F6D7A.exe	29

C:\Users\Admin\AppData\Local\Temp\6FBF058C7A5C8B8889B6D3B043C956E3.exe
"C:\Users\Admin\AppData\Local\Temp\6FBF058C7A5C8B8889B6D3B043C956E3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Roaming\DIO CONSALTING\CE9-82A5-E8F6D7A\R4CE9-82A5-E8F6D7A.exe
  "C:\Users\Admin\AppData\Roaming\DIO CONSALTING\CE9-82A5-E8F6D7A\R4CE9-82A5-E8F6D7A.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Roaming\DIO CONSALTING\CE9-82A5-E8F6D7A\R4CE9-82A5-E8F6D7A.exe
    "C:\Users\Admin\AppData\Roaming\DIO CONSALTING\CE9-82A5-E8F6D7A\R4CE9-82A5-E8F6D7A.exe"
    3⤵
    - Executes dropped EXE
    PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DIO CONSALTING\CE9-82A5-E8F6D7A\R4CE9-82A5-E8F6D7A.exe

Filesize
515KB

MD5
6b1face6b1df57abdcdd51fdf3440e49

SHA1
4fdf141fb23faed163f08058720d208ec616f432

SHA256
f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078

SHA512
b5d17e5a4e8cf43019a16cc55914c7e0a37cfad45020105389ad590438488d35a0cb28e3d2e02e682277ab25afaa0f4a75a6e7da8374572ba64e6cc41a8b9021

Download Submit
C:\Users\Admin\AppData\Roaming\DIO CONSALTING\CE9-82A5-E8F6D7A\R4CE9-82A5-E8F6D7A.exe

Filesize
515KB

MD5
6b1face6b1df57abdcdd51fdf3440e49

SHA1
4fdf141fb23faed163f08058720d208ec616f432

SHA256
f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078

SHA512
b5d17e5a4e8cf43019a16cc55914c7e0a37cfad45020105389ad590438488d35a0cb28e3d2e02e682277ab25afaa0f4a75a6e7da8374572ba64e6cc41a8b9021

Download Submit
C:\Users\Admin\AppData\Roaming\DIO CONSALTING\CE9-82A5-E8F6D7A\R4CE9-82A5-E8F6D7A.exe

Filesize
515KB

MD5
6b1face6b1df57abdcdd51fdf3440e49

SHA1
4fdf141fb23faed163f08058720d208ec616f432

SHA256
f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078

SHA512
b5d17e5a4e8cf43019a16cc55914c7e0a37cfad45020105389ad590438488d35a0cb28e3d2e02e682277ab25afaa0f4a75a6e7da8374572ba64e6cc41a8b9021

Download Submit
\Users\Admin\AppData\Roaming\DIO CONSALTING\CE9-82A5-E8F6D7A\R4CE9-82A5-E8F6D7A.exe

Filesize
515KB

MD5
6b1face6b1df57abdcdd51fdf3440e49

SHA1
4fdf141fb23faed163f08058720d208ec616f432

SHA256
f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078

SHA512
b5d17e5a4e8cf43019a16cc55914c7e0a37cfad45020105389ad590438488d35a0cb28e3d2e02e682277ab25afaa0f4a75a6e7da8374572ba64e6cc41a8b9021

Download Submit
\Users\Admin\AppData\Roaming\DIO CONSALTING\CE9-82A5-E8F6D7A\R4CE9-82A5-E8F6D7A.exe

Filesize
515KB

MD5
6b1face6b1df57abdcdd51fdf3440e49

SHA1
4fdf141fb23faed163f08058720d208ec616f432

SHA256
f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078

SHA512
b5d17e5a4e8cf43019a16cc55914c7e0a37cfad45020105389ad590438488d35a0cb28e3d2e02e682277ab25afaa0f4a75a6e7da8374572ba64e6cc41a8b9021

Download Submit
memory/276-65-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/276-63-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/276-71-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/276-72-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/276-73-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1204-60-0x0000000003690000-0x00000000036C4000-memory.dmp

Filesize
208KB

Download
memory/1204-59-0x0000000003690000-0x00000000036C4000-memory.dmp

Filesize
208KB

Download
memory/1204-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/2040-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing