vidar | 4f9c751502c5a0f0783d4ce9e2dab195b4088e184037a2828a5d4ba0fcd098d9

General

Target

Latest_Setup_1234_Pass.rar
Size

6.7MB
MD5

7eb5803eb4ceef294a77965cbfe08b15
SHA1

ab3e0092fcb570a0748dd9a373767abc41dccf9a
SHA256

4f9c751502c5a0f0783d4ce9e2dab195b4088e184037a2828a5d4ba0fcd098d9
SHA512

adf94da82ff4f7476555cd3fddb434f211ab8ed27a1616ca29250dbdc611faca28b7e5b5eb0609c73d68b697496cbfa25c1ab7a4ab3083f195c3f9d9803555fb
SSDEEP

196608:+MZrAnnXNLoTq1QFK60js3RzUfdUF96Siwuz:JrWP1QYtQxsdWy

Score

10^/10

vidar 1281 stealer

Malware Config

Extracted

Family

vidar

Version

54.6

Botnet

1281

C2

https://t.me/parampampamsss

Attributes

profile_id
1281

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Executes dropped EXE 1 IoCs

Processes:

Setup.exe

pid process

1608 Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1608	Setup.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

364 vlc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Setup.exe

pid process

1608 Setup.exe
1608 Setup.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

364 vlc.exe

pid	process
364	vlc.exe

pid	process
1608	Setup.exe
1608	Setup.exe

pid	process
364	vlc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7zG.exeAUDIODG.EXE

description	pid	process
Token: SeRestorePrivilege	1840	7zG.exe
Token: 35	1840	7zG.exe
Token: SeSecurityPrivilege	1840	7zG.exe
Token: SeSecurityPrivilege	1840	7zG.exe
Token: 33	1868	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1868	AUDIODG.EXE
Token: 33	1868	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1868	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

vlc.exe7zG.exe

pid process

364 vlc.exe
364 vlc.exe
364 vlc.exe
364 vlc.exe
364 vlc.exe
364 vlc.exe
1840 7zG.exe
364 vlc.exe
364 vlc.exe
364 vlc.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

vlc.exe

pid process

364 vlc.exe
364 vlc.exe
364 vlc.exe
364 vlc.exe
364 vlc.exe
364 vlc.exe
364 vlc.exe
364 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

364 vlc.exe

pid	process
364	vlc.exe
364	vlc.exe
364	vlc.exe
364	vlc.exe
364	vlc.exe
364	vlc.exe
1840	7zG.exe
364	vlc.exe
364	vlc.exe
364	vlc.exe

pid	process
364	vlc.exe
364	vlc.exe
364	vlc.exe
364	vlc.exe
364	vlc.exe
364	vlc.exe
364	vlc.exe
364	vlc.exe

pid	process
364	vlc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1184 wrote to memory of 1108	1184	cmd.exe	rundll32.exe
PID 1184 wrote to memory of 1108	1184	cmd.exe	rundll32.exe
PID 1184 wrote to memory of 1108	1184	cmd.exe	rundll32.exe
PID 1108 wrote to memory of 364	1108	rundll32.exe	vlc.exe
PID 1108 wrote to memory of 364	1108	rundll32.exe	vlc.exe
PID 1108 wrote to memory of 364	1108	rundll32.exe	vlc.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass.rar
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1108

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass.rar"
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:364

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1992

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass\" -spe -an -ai#7zMap17926:124:7zEvent15263
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1840

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass\Setup.exe
Filesize
374.0MB

MD5
4b5a8b4c9509f42358d2109a5744b0ec

SHA1
c4f017ea690cd70ab6520a24377b3932f337c9d1

SHA256
36ab71573fa5ba8c48aaa970004a66b7d38ff2f3ca0be1c5d432a11f3c2f7d6f

SHA512
36a91f32a6b84c6dc25e02049815a17920a876ca6002ca14a22cad633a1c65c59aa363c54cf110761510fe178607345decbc6c8745290b833fdd6d99cbe735b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass\Setup.exe
Filesize
374.0MB

MD5
4b5a8b4c9509f42358d2109a5744b0ec

SHA1
c4f017ea690cd70ab6520a24377b3932f337c9d1

SHA256
36ab71573fa5ba8c48aaa970004a66b7d38ff2f3ca0be1c5d432a11f3c2f7d6f

SHA512
36a91f32a6b84c6dc25e02049815a17920a876ca6002ca14a22cad633a1c65c59aa363c54cf110761510fe178607345decbc6c8745290b833fdd6d99cbe735b1

Download Submit
memory/364-81-0x0000000000000000-mapping.dmp

Download
memory/1108-76-0x0000000000000000-mapping.dmp

Download
memory/1184-54-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp

Filesize
8KB

Download
memory/1608-86-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1608-88-0x00000000000E0000-0x0000000000B7D000-memory.dmp

Filesize
10.6MB

Download
memory/1608-91-0x00000000000E0000-0x0000000000B7D000-memory.dmp

Filesize
10.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads