vidar | 36de150cba3d3477191cbe04958e9f887725df1e2e21a92cb18887620238dea2

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/04/2023, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.2MB
MD5

c06097200ce77e7d68dc2ca18b183096
SHA1

378e60eee98c8407808c05561b144537d0b22731
SHA256

36de150cba3d3477191cbe04958e9f887725df1e2e21a92cb18887620238dea2
SHA512

022cc8ea990c987f95f1c50fbaaa4fd40568722574393183e17fe5bca8ab18f5b5ac44054b3708d616ff5b1065be0da1b6040024edc6ab610e5a908cb9eab2ec
SSDEEP

49152:MqfnQVsS7590/aJKx0Wp8BKgZsj8oZ703EPaaX8nlRMAEL:MqfQjN90/eKuWp8WfZY3naXiMl

Score

10^/10

vidar 76b614a229b9a88f7d0ba57796ab0fc2 evasion stealer themida trojan

Malware Config

Extracted

Family

vidar

Version

3.4

Botnet

76b614a229b9a88f7d0ba57796ab0fc2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes

profile_id_v2
76b614a229b9a88f7d0ba57796ab0fc2
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/860-55-0x0000000000A40000-0x0000000000FE4000-memory.dmp	themida
behavioral1/memory/860-62-0x0000000000A40000-0x0000000000FE4000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
860	file.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 860 set thread context of 1788	860	file.exe	43

Program crash 1 IoCs

pid	pid_target	Process	procid_target
240	1788	WerFault.exe	43

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
860	file.exe
860	file.exe
860	file.exe
860	file.exe
860	file.exe
860	file.exe
860	file.exe
860	file.exe
860	file.exe
860	file.exe
860	file.exe
860	file.exe
860	file.exe
860	file.exe
860	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 900	860	file.exe	28
PID 860 wrote to memory of 900	860	file.exe	28
PID 860 wrote to memory of 900	860	file.exe	28
PID 860 wrote to memory of 2004	860	file.exe	29
PID 860 wrote to memory of 2004	860	file.exe	29
PID 860 wrote to memory of 2004	860	file.exe	29
PID 860 wrote to memory of 1420	860	file.exe	30
PID 860 wrote to memory of 1420	860	file.exe	30
PID 860 wrote to memory of 1420	860	file.exe	30
PID 860 wrote to memory of 296	860	file.exe	31
PID 860 wrote to memory of 296	860	file.exe	31
PID 860 wrote to memory of 296	860	file.exe	31
PID 860 wrote to memory of 1312	860	file.exe	32
PID 860 wrote to memory of 1312	860	file.exe	32
PID 860 wrote to memory of 1312	860	file.exe	32
PID 860 wrote to memory of 968	860	file.exe	33
PID 860 wrote to memory of 968	860	file.exe	33
PID 860 wrote to memory of 968	860	file.exe	33
PID 860 wrote to memory of 568	860	file.exe	34
PID 860 wrote to memory of 568	860	file.exe	34
PID 860 wrote to memory of 568	860	file.exe	34
PID 860 wrote to memory of 516	860	file.exe	35
PID 860 wrote to memory of 516	860	file.exe	35
PID 860 wrote to memory of 516	860	file.exe	35
PID 860 wrote to memory of 1912	860	file.exe	36
PID 860 wrote to memory of 1912	860	file.exe	36
PID 860 wrote to memory of 1912	860	file.exe	36
PID 860 wrote to memory of 652	860	file.exe	37
PID 860 wrote to memory of 652	860	file.exe	37
PID 860 wrote to memory of 652	860	file.exe	37
PID 860 wrote to memory of 460	860	file.exe	38
PID 860 wrote to memory of 460	860	file.exe	38
PID 860 wrote to memory of 460	860	file.exe	38
PID 860 wrote to memory of 460	860	file.exe	38
PID 860 wrote to memory of 1492	860	file.exe	39
PID 860 wrote to memory of 1492	860	file.exe	39
PID 860 wrote to memory of 1492	860	file.exe	39
PID 860 wrote to memory of 1476	860	file.exe	40
PID 860 wrote to memory of 1476	860	file.exe	40
PID 860 wrote to memory of 1476	860	file.exe	40
PID 860 wrote to memory of 608	860	file.exe	41
PID 860 wrote to memory of 608	860	file.exe	41
PID 860 wrote to memory of 608	860	file.exe	41
PID 860 wrote to memory of 1908	860	file.exe	42
PID 860 wrote to memory of 1908	860	file.exe	42
PID 860 wrote to memory of 1908	860	file.exe	42
PID 860 wrote to memory of 1788	860	file.exe	43
PID 860 wrote to memory of 1788	860	file.exe	43
PID 860 wrote to memory of 1788	860	file.exe	43
PID 860 wrote to memory of 1788	860	file.exe	43
PID 860 wrote to memory of 1788	860	file.exe	43
PID 860 wrote to memory of 1788	860	file.exe	43
PID 860 wrote to memory of 1788	860	file.exe	43
PID 860 wrote to memory of 1788	860	file.exe	43
PID 860 wrote to memory of 1788	860	file.exe	43
PID 860 wrote to memory of 1788	860	file.exe	43
PID 860 wrote to memory of 1788	860	file.exe	43
PID 860 wrote to memory of 1788	860	file.exe	43
PID 860 wrote to memory of 1788	860	file.exe	43
PID 860 wrote to memory of 1788	860	file.exe	43
PID 1788 wrote to memory of 240	1788	Setup.exe	44
PID 1788 wrote to memory of 240	1788	Setup.exe	44
PID 1788 wrote to memory of 240	1788	Setup.exe	44
PID 1788 wrote to memory of 240	1788	Setup.exe	44

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
  2⤵
  PID:900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:1420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:1312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
  2⤵
  PID:516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:1492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
  2⤵
  PID:608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 304
    3⤵
    - Program crash
    PID:240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/860-55-0x0000000000A40000-0x0000000000FE4000-memory.dmp

Filesize
5.6MB

Download
memory/860-57-0x000007FE80010000-0x000007FE80011000-memory.dmp

Filesize
4KB

Download
memory/860-56-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/860-58-0x000000001B740000-0x000000001B7FC000-memory.dmp

Filesize
752KB

Download
memory/860-59-0x000000001B8B0000-0x000000001B930000-memory.dmp

Filesize
512KB

Download
memory/860-62-0x0000000000A40000-0x0000000000FE4000-memory.dmp

Filesize
5.6MB

Download
memory/1788-60-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download