vidar | 1c9264473281f0d5144912a8c05d803697c7da8707cd5607017e6936d2fa1588

Analysis

max time kernel
98s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SZOI-Wyciek-20-03-2023.xll
Size

718KB
MD5

11f82e84e17670912b1f93c827ed7f35
SHA1

d5f4e666ca2b2cab3451ff784659cc22b4957a49
SHA256

1c9264473281f0d5144912a8c05d803697c7da8707cd5607017e6936d2fa1588
SHA512

ef57cb2d05947dbdaa1bb561e58cc8248a3a13c6484017df2b074b9170c2f296a0c063d5252190662e669035ba885fea946734e452805770a66c9c510f2df914
SSDEEP

12288:5n/zDvGHAykHSzLW/4+8bzbBSreMdCQ4gLuUkvSK/7gFK/UqW53:dzbGHAzHAjX1yq3vSK/rcL

Score

10^/10

vidar e37abeff0df24a473dacaf8467d6fa48 discovery spyware stealer

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

vidar

Version

Botnet

e37abeff0df24a473dacaf8467d6fa48

https://t.me/zaskullz

https://steamcommunity.com/profiles/76561199486572327

http://135.181.87.234:80

Attributes

profile_id_v2
e37abeff0df24a473dacaf8467d6fa48

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2628	664	cmd.exe	81

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4128	Date2023.exe

Loads dropped DLL 4 IoCs

pid	Process
664	EXCEL.EXE
664	EXCEL.EXE
4128	Date2023.exe
4128	Date2023.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2224	4128	WerFault.exe	86

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Date2023.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Date2023.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
664	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4540	EXCEL.EXE
4540	EXCEL.EXE
4128	Date2023.exe
4128	Date2023.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	664	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
664	EXCEL.EXE
664	EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
4540	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 4128	664	EXCEL.EXE	86
PID 664 wrote to memory of 4128	664	EXCEL.EXE	86
PID 664 wrote to memory of 4128	664	EXCEL.EXE	86
PID 664 wrote to memory of 2628	664	EXCEL.EXE	87
PID 664 wrote to memory of 2628	664	EXCEL.EXE	87
PID 2628 wrote to memory of 4540	2628	cmd.exe	90
PID 2628 wrote to memory of 4540	2628	cmd.exe	90
PID 2628 wrote to memory of 4540	2628	cmd.exe	90

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SZOI-Wyciek-20-03-2023.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664
- C:\Users\Admin\AppData\Local\Temp\Date2023.exe
  "C:\Users\Admin\AppData\Local\Temp\Date2023.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1620
    3⤵
    - Program crash
    PID:2224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C start %temp%/Excel.xlsx
  2⤵
  - Process spawned unexpected child process
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Excel.xlsx"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4128 -ip 4128
1⤵
PID:4896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
db1d6a7eceeb51140f61aaf980f27a67

SHA1
caac1acaab3603d9da069ac321eeff85eb530964

SHA256
28b308410170030a11f18b2ee4ed1a3a9f3417fa32bb5fdfaa1de57ea238a727

SHA512
9cb17b9bad947497014837374c303280d4672a13adbfb8a7837580d4a183fb56cb07e44c04fe36ff912d79cd72424f739ca454d65e39a5d76e3c1fad556ba079

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
b157cca91c53a31d1842298912c18b21

SHA1
8ad4c5643679bd8ed31620eb4d5abdc850b09dc7

SHA256
b400882e6a536cb3b5bd308781e9a346218b59c95612e39cebbcd76f6daa2f36

SHA512
607129b62e555dee9827676e7281ba2e66dfd5403f35923738ee588fa5e58e9b4feec1e390d2202392560717113e0fd04a1737731fd1000c2d74d60320d32af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
325KB

MD5
0e3e0fa602a0e208dce34c50704e2b56

SHA1
e1ed5eab2d06872bb50a607b7966c01b81ecd2f5

SHA256
28d53bd99ec106eef21de121509cdee6e575cde44613aa59aa3a70e6449678f5

SHA512
1ca09a46e162064b05ce301df35ffad39afa13ae22c404248593bd6ce700e94019b4ac66fb129af1d6ba89d0c9c5369e32d498e80bdfccde860a9b94ec96112f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
4KB

MD5
f138a66469c10d5761c6cbb36f2163c3

SHA1
eea136206474280549586923b7a4a3c6d5db1e25

SHA256
c712d6c7a60f170a0c6c5ec768d962c58b1f59a2d417e98c7c528a037c427ab6

SHA512
9d25f943b6137dd2981ee75d57baf3a9e0ee27eea2df19591d580f02ec8520d837b8e419a8b1eb7197614a3c6d8793c56ebc848c38295ada23c31273daa302d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
48KB

MD5
6084e46b5c2d070515e22983ad5db45b

SHA1
70db49018181fd902c5b54ad13a964c2401cd75d

SHA256
57413a466fcb03b6fceea23d4964677f02bbf1ec386e8d3e7ee01f1e5cb174be

SHA512
1d8436f42466221749fa7cd798868890b1726da82a8cdac1816f31f8c1e20004fc9cb551372506f8303bf27df0e9a541f3077b32dffe915e89166eb798f07821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
48KB

MD5
6084e46b5c2d070515e22983ad5db45b

SHA1
70db49018181fd902c5b54ad13a964c2401cd75d

SHA256
57413a466fcb03b6fceea23d4964677f02bbf1ec386e8d3e7ee01f1e5cb174be

SHA512
1d8436f42466221749fa7cd798868890b1726da82a8cdac1816f31f8c1e20004fc9cb551372506f8303bf27df0e9a541f3077b32dffe915e89166eb798f07821

Download Submit
C:\Users\Admin\AppData\Local\Temp\Date2023.exe

Filesize
1024KB

MD5
f7fd4791be2e2624b7fbb1d91ab2f539

SHA1
5e293bd82fc478a0891a092e02a7576d6a9799d9

SHA256
be82beca4c46e17fb1d4e7f23cf028f61b0d6e64d39146f31f1e7072ecf95fbe

SHA512
340d18119fe408976e06e78ab8fa44c900981b25025389e6da674d662945986456d6ed98ffc7a478ff9583b147cb77a4df339e6e4b9734952c69693e53e20882

Download Submit
C:\Users\Admin\AppData\Local\Temp\Date2023.exe

Filesize
1024KB

MD5
f7fd4791be2e2624b7fbb1d91ab2f539

SHA1
5e293bd82fc478a0891a092e02a7576d6a9799d9

SHA256
be82beca4c46e17fb1d4e7f23cf028f61b0d6e64d39146f31f1e7072ecf95fbe

SHA512
340d18119fe408976e06e78ab8fa44c900981b25025389e6da674d662945986456d6ed98ffc7a478ff9583b147cb77a4df339e6e4b9734952c69693e53e20882

Download Submit
C:\Users\Admin\AppData\Local\Temp\Date2023.exe

Filesize
1024KB

MD5
f7fd4791be2e2624b7fbb1d91ab2f539

SHA1
5e293bd82fc478a0891a092e02a7576d6a9799d9

SHA256
be82beca4c46e17fb1d4e7f23cf028f61b0d6e64d39146f31f1e7072ecf95fbe

SHA512
340d18119fe408976e06e78ab8fa44c900981b25025389e6da674d662945986456d6ed98ffc7a478ff9583b147cb77a4df339e6e4b9734952c69693e53e20882

Download Submit
C:\Users\Admin\AppData\Local\Temp\Excel.xlsx

Filesize
22KB

MD5
67126c10471b06d8a5b86d78bd6052f4

SHA1
be761cefbe0c6a5ad21ac5711bf23f1445975018

SHA256
b1a696a48c2238c1edc19b505f50edcedc73bad4a6e6fb6ca1d4cd5a0649200a

SHA512
e7c06a9c5c2aabb75ce8a742216b7c971073be939d254b80ac0a8d0d35b031d3b06515d9be86012d6a674914c85be1ecd0d6b0b96b2da52154ac4649040cf819

Download Submit
C:\Users\Admin\AppData\Local\Temp\SZOI-Wyciek-20-03-2023.xll

Filesize
718KB

MD5
11f82e84e17670912b1f93c827ed7f35

SHA1
d5f4e666ca2b2cab3451ff784659cc22b4957a49

SHA256
1c9264473281f0d5144912a8c05d803697c7da8707cd5607017e6936d2fa1588

SHA512
ef57cb2d05947dbdaa1bb561e58cc8248a3a13c6484017df2b074b9170c2f296a0c063d5252190662e669035ba885fea946734e452805770a66c9c510f2df914

Download Submit
C:\Users\Admin\AppData\Local\Temp\SZOI-Wyciek-20-03-2023.xll

Filesize
718KB

MD5
11f82e84e17670912b1f93c827ed7f35

SHA1
d5f4e666ca2b2cab3451ff784659cc22b4957a49

SHA256
1c9264473281f0d5144912a8c05d803697c7da8707cd5607017e6936d2fa1588

SHA512
ef57cb2d05947dbdaa1bb561e58cc8248a3a13c6484017df2b074b9170c2f296a0c063d5252190662e669035ba885fea946734e452805770a66c9c510f2df914

Download Submit
memory/664-148-0x000001EFC1870000-0x000001EFC1880000-memory.dmp

Filesize
64KB

Download
memory/664-209-0x000001EFC1870000-0x000001EFC1880000-memory.dmp

Filesize
64KB

Download
memory/664-153-0x000001EFC1870000-0x000001EFC1880000-memory.dmp

Filesize
64KB

Download
memory/664-154-0x000001EFC1870000-0x000001EFC1880000-memory.dmp

Filesize
64KB

Download
memory/664-151-0x000001EFA9540000-0x000001EFA9552000-memory.dmp

Filesize
72KB

Download
memory/664-150-0x000001EFC1870000-0x000001EFC1880000-memory.dmp

Filesize
64KB

Download
memory/664-149-0x000001EFC1870000-0x000001EFC1880000-memory.dmp

Filesize
64KB

Download
memory/664-133-0x00007FFBFD110000-0x00007FFBFD120000-memory.dmp

Filesize
64KB

Download
memory/664-147-0x000001EFC1870000-0x000001EFC1880000-memory.dmp

Filesize
64KB

Download
memory/664-144-0x000001EFA7E50000-0x000001EFA7F1D000-memory.dmp

Filesize
820KB

Download
memory/664-139-0x00007FFBFA960000-0x00007FFBFA970000-memory.dmp

Filesize
64KB

Download
memory/664-138-0x00007FFBFA960000-0x00007FFBFA970000-memory.dmp

Filesize
64KB

Download
memory/664-137-0x00007FFBFD110000-0x00007FFBFD120000-memory.dmp

Filesize
64KB

Download
memory/664-134-0x00007FFBFD110000-0x00007FFBFD120000-memory.dmp

Filesize
64KB

Download
memory/664-135-0x00007FFBFD110000-0x00007FFBFD120000-memory.dmp

Filesize
64KB

Download
memory/664-136-0x00007FFBFD110000-0x00007FFBFD120000-memory.dmp

Filesize
64KB

Download
memory/664-208-0x000001EFC1870000-0x000001EFC1880000-memory.dmp

Filesize
64KB

Download
memory/664-203-0x000001EFC1870000-0x000001EFC1880000-memory.dmp

Filesize
64KB

Download
memory/664-204-0x000001EFC1870000-0x000001EFC1880000-memory.dmp

Filesize
64KB

Download
memory/664-205-0x000001EFC1870000-0x000001EFC1880000-memory.dmp

Filesize
64KB

Download
memory/664-207-0x000001EFC1870000-0x000001EFC1880000-memory.dmp

Filesize
64KB

Download
memory/664-206-0x000001EFC1870000-0x000001EFC1880000-memory.dmp

Filesize
64KB

Download
memory/664-152-0x000001EFA9520000-0x000001EFA952A000-memory.dmp

Filesize
40KB

Download
memory/4128-212-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4128-222-0x0000000051290000-0x0000000051383000-memory.dmp

Filesize
972KB

Download
memory/4128-292-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4128-293-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4540-201-0x00007FFBFD110000-0x00007FFBFD120000-memory.dmp

Filesize
64KB

Download
memory/4540-200-0x00007FFBFD110000-0x00007FFBFD120000-memory.dmp

Filesize
64KB

Download
memory/4540-198-0x00007FFBFD110000-0x00007FFBFD120000-memory.dmp

Filesize
64KB

Download
memory/4540-199-0x00007FFBFD110000-0x00007FFBFD120000-memory.dmp

Filesize
64KB

Download