vidar | fd1a09c372f39636d4d547a96121d7da03bea79dabb95717a8636b0d7aed8194

Analysis

max time kernel
193s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1fb177e49034e7e8a74d4abf6384bcc.exe
Size

650KB
MD5

b1fb177e49034e7e8a74d4abf6384bcc
SHA1

a69eebde817629278554b07ac52646fbdc518740
SHA256

fd1a09c372f39636d4d547a96121d7da03bea79dabb95717a8636b0d7aed8194
SHA512

7f334266cb5208684fdaa861d75f33505c14ff427b89a63cebe7bb4b0026bbdb7ce064b7d5129dfeaa1c9b8843f7a3d1836561afa5e0b8714ccddb8c47f4473b
SSDEEP

6144:XMVPUy1UJ/h4HLvP0BKzOwTq9yytYpK+zWmx1SlW9EE:XeUh6DiKzVq7izxHSuEE

Score

10^/10

vidar 1855 stealer

Malware Config

Extracted

Family

vidar

Version

55.8

Botnet

1855

https://t.me/headshotsonly

https://steamcommunity.com/profiles/76561199436777531

Attributes

profile_id
1855

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Executes dropped EXE 1 IoCs

pid	Process
632	build.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	b1fb177e49034e7e8a74d4abf6384bcc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3768	b1fb177e49034e7e8a74d4abf6384bcc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 632	3768	b1fb177e49034e7e8a74d4abf6384bcc.exe	87
PID 3768 wrote to memory of 632	3768	b1fb177e49034e7e8a74d4abf6384bcc.exe	87
PID 3768 wrote to memory of 632	3768	b1fb177e49034e7e8a74d4abf6384bcc.exe	87

C:\Users\Admin\AppData\Local\Temp\b1fb177e49034e7e8a74d4abf6384bcc.exe
"C:\Users\Admin\AppData\Local\Temp\b1fb177e49034e7e8a74d4abf6384bcc.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\Temp\build.exe
  "C:\Windows\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\build.exe

Filesize
292KB

MD5
04970887e6dceb98760088b64f41bf42

SHA1
b56d5ab7fd3cb4b89f5ac5852c7c50820256ce1e

SHA256
8615b806ea84a135fd61b9b69f1aef0dd4761b4698cd3e7d3a2f518f991fd208

SHA512
46bcc1a8fee03e6b022173ab88e49ca39db23404a7c2aa3f45cd70297f5c46baa6c947842085a8d9816c7bea0b6e1a4414b17a6d6902a5737d2ab20bf3ef1aaa

Download Submit
C:\Windows\Temp\build.exe

Filesize
292KB

MD5
04970887e6dceb98760088b64f41bf42

SHA1
b56d5ab7fd3cb4b89f5ac5852c7c50820256ce1e

SHA256
8615b806ea84a135fd61b9b69f1aef0dd4761b4698cd3e7d3a2f518f991fd208

SHA512
46bcc1a8fee03e6b022173ab88e49ca39db23404a7c2aa3f45cd70297f5c46baa6c947842085a8d9816c7bea0b6e1a4414b17a6d6902a5737d2ab20bf3ef1aaa

Download Submit
memory/3768-132-0x0000000000BC0000-0x0000000000C68000-memory.dmp

Filesize
672KB

Download