vidar | 4f9c751502c5a0f0783d4ce9e2dab195b4088e184037a2828a5d4ba0fcd098d9

General

Target

Latest_Setup_1234_Pass.rar
Size

6.7MB
MD5

7eb5803eb4ceef294a77965cbfe08b15
SHA1

ab3e0092fcb570a0748dd9a373767abc41dccf9a
SHA256

4f9c751502c5a0f0783d4ce9e2dab195b4088e184037a2828a5d4ba0fcd098d9
SHA512

adf94da82ff4f7476555cd3fddb434f211ab8ed27a1616ca29250dbdc611faca28b7e5b5eb0609c73d68b697496cbfa25c1ab7a4ab3083f195c3f9d9803555fb
SSDEEP

196608:+MZrAnnXNLoTq1QFK60js3RzUfdUF96Siwuz:JrWP1QYtQxsdWy

Score

10^/10

vidar 1281 stealer

Malware Config

Extracted

Family

vidar

Version

54.6

Botnet

1281

C2

https://t.me/parampampamsss

Attributes

profile_id
1281

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Executes dropped EXE 3 IoCs

Processes:

Setup.exeSetup.exeSetup.exe

pid process

4548 Setup.exe
1044 Setup.exe
1132 Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1120 NOTEPAD.EXE

pid	process
1120	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Setup.exeSetup.exeSetup.exe

pid	process
4548	Setup.exe
4548	Setup.exe
4548	Setup.exe
4548	Setup.exe
1044	Setup.exe
1044	Setup.exe
1044	Setup.exe
1044	Setup.exe
1132	Setup.exe
1132	Setup.exe
1132	Setup.exe
1132	Setup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	1916	7zG.exe
Token: 35	1916	7zG.exe
Token: SeSecurityPrivilege	1916	7zG.exe
Token: SeSecurityPrivilege	1916	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

1916 7zG.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

1452 OpenWith.exe

pid	process
1916	7zG.exe

pid	process
1452	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass.rar
1⤵
- Modifies registry class
PID:3692

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1800

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\" -spe -an -ai#7zMap14450:102:7zEvent11669
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1916

C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe
"C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4548

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\filework.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1120

C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe
"C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1044

C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe
"C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe
Filesize
374.0MB

MD5
4b5a8b4c9509f42358d2109a5744b0ec

SHA1
c4f017ea690cd70ab6520a24377b3932f337c9d1

SHA256
36ab71573fa5ba8c48aaa970004a66b7d38ff2f3ca0be1c5d432a11f3c2f7d6f

SHA512
36a91f32a6b84c6dc25e02049815a17920a876ca6002ca14a22cad633a1c65c59aa363c54cf110761510fe178607345decbc6c8745290b833fdd6d99cbe735b1

Download Submit
C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe
Filesize
374.0MB

MD5
4b5a8b4c9509f42358d2109a5744b0ec

SHA1
c4f017ea690cd70ab6520a24377b3932f337c9d1

SHA256
36ab71573fa5ba8c48aaa970004a66b7d38ff2f3ca0be1c5d432a11f3c2f7d6f

SHA512
36a91f32a6b84c6dc25e02049815a17920a876ca6002ca14a22cad633a1c65c59aa363c54cf110761510fe178607345decbc6c8745290b833fdd6d99cbe735b1

Download Submit
C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe
Filesize
374.0MB

MD5
4b5a8b4c9509f42358d2109a5744b0ec

SHA1
c4f017ea690cd70ab6520a24377b3932f337c9d1

SHA256
36ab71573fa5ba8c48aaa970004a66b7d38ff2f3ca0be1c5d432a11f3c2f7d6f

SHA512
36a91f32a6b84c6dc25e02049815a17920a876ca6002ca14a22cad633a1c65c59aa363c54cf110761510fe178607345decbc6c8745290b833fdd6d99cbe735b1

Download Submit
C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe
Filesize
374.0MB

MD5
4b5a8b4c9509f42358d2109a5744b0ec

SHA1
c4f017ea690cd70ab6520a24377b3932f337c9d1

SHA256
36ab71573fa5ba8c48aaa970004a66b7d38ff2f3ca0be1c5d432a11f3c2f7d6f

SHA512
36a91f32a6b84c6dc25e02049815a17920a876ca6002ca14a22cad633a1c65c59aa363c54cf110761510fe178607345decbc6c8745290b833fdd6d99cbe735b1

Download Submit
C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\filework.txt
Filesize
4B

MD5
81dc9bdb52d04dc20036dbd8313ed055

SHA1
7110eda4d09e062aa5e4a390b0a572ac0d2c0220

SHA256
03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4

SHA512
d404559f602eab6fd602ac7680dacbfaadd13630335e951f097af3900e9de176b6db28512f2e000b9d04fba5133e8b1c6e8df59db3a8ab9d60be4b97cc9e81db

Download Submit
memory/1044-141-0x0000000000DC0000-0x000000000185D000-memory.dmp

Filesize
10.6MB

Download
memory/1044-144-0x0000000000DC0000-0x000000000185D000-memory.dmp

Filesize
10.6MB

Download
memory/1132-146-0x0000000000DC0000-0x000000000185D000-memory.dmp

Filesize
10.6MB

Download
memory/1132-149-0x0000000000DC0000-0x000000000185D000-memory.dmp

Filesize
10.6MB

Download
memory/1132-150-0x0000000000DC0000-0x000000000185D000-memory.dmp

Filesize
10.6MB

Download
memory/4548-139-0x0000000000DC0000-0x000000000185D000-memory.dmp

Filesize
10.6MB

Download
memory/4548-137-0x0000000000DC0000-0x000000000185D000-memory.dmp

Filesize
10.6MB

Download
memory/4548-134-0x0000000000DC0000-0x000000000185D000-memory.dmp

Filesize
10.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads