vidar | 2c993eb220436695d78783d2a6520951e4ce2b65311a96b904a063abdc088235

Analysis

max time kernel
147s
max time network
207s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

870KB
MD5

e2d9b6d75e486079765a8c73aa82e52e
SHA1

3ef57a6cdc8350240b27e1c832f0292a4a24e823
SHA256

2c993eb220436695d78783d2a6520951e4ce2b65311a96b904a063abdc088235
SHA512

108164ff8d24e44e4bc5160c876ff64a07f069b1f2be4ff40251f0221bc5f35c7d598292e9770a931204b66bc87fefc87b2a78bfaaebe03f65ba82350a96e3d2
SSDEEP

24576:248cD30gdMnJImA0km0HIArQajeT0w+5gmbatBZCI:FIgdMnJImByrQ8eow+5gmYA

Score

10^/10

vidar 1325 spyware stealer

Malware Config

Extracted

Family

vidar

Version

55.9

Botnet

1325

https://t.me/headshotsonly

https://steamcommunity.com/profiles/76561199436777531

Attributes

profile_id
1325

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

86422354719050849345.exe

pid process

908 86422354719050849345.exe

pid	process
908	86422354719050849345.exe

Loads dropped DLL 13 IoCs

Processes:

vbc.exe86422354719050849345.exeWerFault.exe

pid	process
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
908	86422354719050849345.exe
908	86422354719050849345.exe
908	86422354719050849345.exe
908	86422354719050849345.exe
472	WerFault.exe
472	WerFault.exe
472	WerFault.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

Processes:

Setup.exe86422354719050849345.exe

description	pid	process	target process
PID 1172 set thread context of 1492	1172	Setup.exe	vbc.exe
PID 908 set thread context of 968	908	86422354719050849345.exe	vbc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1120 1172 WerFault.exe Setup.exe
472 908 WerFault.exe 86422354719050849345.exe

pid	pid_target	process	target process
1120	1172	WerFault.exe	Setup.exe
472	908	WerFault.exe	86422354719050849345.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

1492 vbc.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

Setup.exevbc.exe86422354719050849345.exe

description	pid	process	target process
PID 1172 wrote to memory of 1492	1172	Setup.exe	vbc.exe
PID 1172 wrote to memory of 1492	1172	Setup.exe	vbc.exe
PID 1172 wrote to memory of 1492	1172	Setup.exe	vbc.exe
PID 1172 wrote to memory of 1492	1172	Setup.exe	vbc.exe
PID 1172 wrote to memory of 1492	1172	Setup.exe	vbc.exe
PID 1172 wrote to memory of 1492	1172	Setup.exe	vbc.exe
PID 1172 wrote to memory of 1492	1172	Setup.exe	vbc.exe
PID 1172 wrote to memory of 1492	1172	Setup.exe	vbc.exe
PID 1172 wrote to memory of 1492	1172	Setup.exe	vbc.exe
PID 1172 wrote to memory of 1120	1172	Setup.exe	WerFault.exe
PID 1172 wrote to memory of 1120	1172	Setup.exe	WerFault.exe
PID 1172 wrote to memory of 1120	1172	Setup.exe	WerFault.exe
PID 1172 wrote to memory of 1120	1172	Setup.exe	WerFault.exe
PID 1172 wrote to memory of 1120	1172	Setup.exe	WerFault.exe
PID 1172 wrote to memory of 1120	1172	Setup.exe	WerFault.exe
PID 1172 wrote to memory of 1120	1172	Setup.exe	WerFault.exe
PID 1492 wrote to memory of 908	1492	vbc.exe	86422354719050849345.exe
PID 1492 wrote to memory of 908	1492	vbc.exe	86422354719050849345.exe
PID 1492 wrote to memory of 908	1492	vbc.exe	86422354719050849345.exe
PID 1492 wrote to memory of 908	1492	vbc.exe	86422354719050849345.exe
PID 1492 wrote to memory of 908	1492	vbc.exe	86422354719050849345.exe
PID 1492 wrote to memory of 908	1492	vbc.exe	86422354719050849345.exe
PID 1492 wrote to memory of 908	1492	vbc.exe	86422354719050849345.exe
PID 908 wrote to memory of 968	908	86422354719050849345.exe	vbc.exe
PID 908 wrote to memory of 968	908	86422354719050849345.exe	vbc.exe
PID 908 wrote to memory of 968	908	86422354719050849345.exe	vbc.exe
PID 908 wrote to memory of 968	908	86422354719050849345.exe	vbc.exe
PID 908 wrote to memory of 968	908	86422354719050849345.exe	vbc.exe
PID 908 wrote to memory of 968	908	86422354719050849345.exe	vbc.exe
PID 908 wrote to memory of 968	908	86422354719050849345.exe	vbc.exe
PID 908 wrote to memory of 968	908	86422354719050849345.exe	vbc.exe
PID 908 wrote to memory of 968	908	86422354719050849345.exe	vbc.exe
PID 908 wrote to memory of 472	908	86422354719050849345.exe	WerFault.exe
PID 908 wrote to memory of 472	908	86422354719050849345.exe	WerFault.exe
PID 908 wrote to memory of 472	908	86422354719050849345.exe	WerFault.exe
PID 908 wrote to memory of 472	908	86422354719050849345.exe	WerFault.exe
PID 908 wrote to memory of 472	908	86422354719050849345.exe	WerFault.exe
PID 908 wrote to memory of 472	908	86422354719050849345.exe	WerFault.exe
PID 908 wrote to memory of 472	908	86422354719050849345.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492

C:\ProgramData\86422354719050849345.exe
"C:\ProgramData\86422354719050849345.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 36
2⤵
- Program crash
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\86422354719050849345.exe
Filesize
2.4MB

MD5
2b467f0545b1981e30aceab51e059e20

SHA1
65ec505e1a3334d53277c046d5e674bf3c742947

SHA256
def5d151079b3b584206933fcac5c5d0e51964a6662e36c9d067c9602f3768dd

SHA512
8878025af4bc1d0a6aefb774665f7af41c838eaea082125e8f6f2175b574fcabcd89b7c7d59f693c70357441f11d3e719beda155ee1903a5d7270d890e864613

Download Submit
C:\ProgramData\86422354719050849345.exe
Filesize
2.4MB

MD5
2b467f0545b1981e30aceab51e059e20

SHA1
65ec505e1a3334d53277c046d5e674bf3c742947

SHA256
def5d151079b3b584206933fcac5c5d0e51964a6662e36c9d067c9602f3768dd

SHA512
8878025af4bc1d0a6aefb774665f7af41c838eaea082125e8f6f2175b574fcabcd89b7c7d59f693c70357441f11d3e719beda155ee1903a5d7270d890e864613

Download Submit
C:\ProgramData\MSVCP140.dll
Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\VCRUNTIME140.dll
Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
\ProgramData\86422354719050849345.exe
Filesize
2.4MB

MD5
2b467f0545b1981e30aceab51e059e20

SHA1
65ec505e1a3334d53277c046d5e674bf3c742947

SHA256
def5d151079b3b584206933fcac5c5d0e51964a6662e36c9d067c9602f3768dd

SHA512
8878025af4bc1d0a6aefb774665f7af41c838eaea082125e8f6f2175b574fcabcd89b7c7d59f693c70357441f11d3e719beda155ee1903a5d7270d890e864613

Download Submit
\ProgramData\86422354719050849345.exe
Filesize
2.4MB

MD5
2b467f0545b1981e30aceab51e059e20

SHA1
65ec505e1a3334d53277c046d5e674bf3c742947

SHA256
def5d151079b3b584206933fcac5c5d0e51964a6662e36c9d067c9602f3768dd

SHA512
8878025af4bc1d0a6aefb774665f7af41c838eaea082125e8f6f2175b574fcabcd89b7c7d59f693c70357441f11d3e719beda155ee1903a5d7270d890e864613

Download Submit
\ProgramData\86422354719050849345.exe
Filesize
2.4MB

MD5
2b467f0545b1981e30aceab51e059e20

SHA1
65ec505e1a3334d53277c046d5e674bf3c742947

SHA256
def5d151079b3b584206933fcac5c5d0e51964a6662e36c9d067c9602f3768dd

SHA512
8878025af4bc1d0a6aefb774665f7af41c838eaea082125e8f6f2175b574fcabcd89b7c7d59f693c70357441f11d3e719beda155ee1903a5d7270d890e864613

Download Submit
\ProgramData\86422354719050849345.exe
Filesize
2.4MB

MD5
2b467f0545b1981e30aceab51e059e20

SHA1
65ec505e1a3334d53277c046d5e674bf3c742947

SHA256
def5d151079b3b584206933fcac5c5d0e51964a6662e36c9d067c9602f3768dd

SHA512
8878025af4bc1d0a6aefb774665f7af41c838eaea082125e8f6f2175b574fcabcd89b7c7d59f693c70357441f11d3e719beda155ee1903a5d7270d890e864613

Download Submit
\ProgramData\86422354719050849345.exe
Filesize
2.4MB

MD5
2b467f0545b1981e30aceab51e059e20

SHA1
65ec505e1a3334d53277c046d5e674bf3c742947

SHA256
def5d151079b3b584206933fcac5c5d0e51964a6662e36c9d067c9602f3768dd

SHA512
8878025af4bc1d0a6aefb774665f7af41c838eaea082125e8f6f2175b574fcabcd89b7c7d59f693c70357441f11d3e719beda155ee1903a5d7270d890e864613

Download Submit
\ProgramData\86422354719050849345.exe
Filesize
2.4MB

MD5
2b467f0545b1981e30aceab51e059e20

SHA1
65ec505e1a3334d53277c046d5e674bf3c742947

SHA256
def5d151079b3b584206933fcac5c5d0e51964a6662e36c9d067c9602f3768dd

SHA512
8878025af4bc1d0a6aefb774665f7af41c838eaea082125e8f6f2175b574fcabcd89b7c7d59f693c70357441f11d3e719beda155ee1903a5d7270d890e864613

Download Submit
\ProgramData\86422354719050849345.exe
Filesize
2.4MB

MD5
2b467f0545b1981e30aceab51e059e20

SHA1
65ec505e1a3334d53277c046d5e674bf3c742947

SHA256
def5d151079b3b584206933fcac5c5d0e51964a6662e36c9d067c9602f3768dd

SHA512
8878025af4bc1d0a6aefb774665f7af41c838eaea082125e8f6f2175b574fcabcd89b7c7d59f693c70357441f11d3e719beda155ee1903a5d7270d890e864613

Download Submit
\ProgramData\86422354719050849345.exe
Filesize
2.4MB

MD5
2b467f0545b1981e30aceab51e059e20

SHA1
65ec505e1a3334d53277c046d5e674bf3c742947

SHA256
def5d151079b3b584206933fcac5c5d0e51964a6662e36c9d067c9602f3768dd

SHA512
8878025af4bc1d0a6aefb774665f7af41c838eaea082125e8f6f2175b574fcabcd89b7c7d59f693c70357441f11d3e719beda155ee1903a5d7270d890e864613

Download Submit
\ProgramData\86422354719050849345.exe
Filesize
2.4MB

MD5
2b467f0545b1981e30aceab51e059e20

SHA1
65ec505e1a3334d53277c046d5e674bf3c742947

SHA256
def5d151079b3b584206933fcac5c5d0e51964a6662e36c9d067c9602f3768dd

SHA512
8878025af4bc1d0a6aefb774665f7af41c838eaea082125e8f6f2175b574fcabcd89b7c7d59f693c70357441f11d3e719beda155ee1903a5d7270d890e864613

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\msvcp140.dll
Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\ProgramData\vcruntime140.dll
Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
memory/472-116-0x0000000000000000-mapping.dmp

Download
memory/908-92-0x0000000000000000-mapping.dmp

Download
memory/968-102-0x0000000000400000-0x000000000066F000-memory.dmp

Filesize
2.4MB

Download
memory/968-104-0x0000000000400000-0x000000000066F000-memory.dmp

Filesize
2.4MB

Download
memory/968-115-0x00000000004014B0-mapping.dmp

Download
memory/968-118-0x0000000000400000-0x000000000066F000-memory.dmp

Filesize
2.4MB

Download
memory/1120-67-0x0000000000000000-mapping.dmp

Download
memory/1172-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1492-68-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1492-66-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1492-64-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1492-63-0x000000000042318F-mapping.dmp

Download
memory/1492-57-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1492-55-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download