vidar | b11e85d0eed98a012f018c818f72a0bc0d0521ea132a45a58f5de92da924c225

General

Target

bank_statement.scr
Size

25.0MB
MD5

dedd66f7cdc48224fb7fcbc795f69bfd
SHA1

00ab7277c89b9f0608f00997b219881a92e36888
SHA256

b11e85d0eed98a012f018c818f72a0bc0d0521ea132a45a58f5de92da924c225
SHA512

4ea3119416c786ec9667eaa499b3af40d196f4ecf2ffaac5e5b78ccbaba34ab867e302a10fc7964dc95284fafcffdeca3361886dffdc2c2ba2bf2fb5e664b8c3
SSDEEP

393216:iEbUSKA4SNAwLpQfgVehx8oyLZ8Ae0sCK9UCUQkiWajOHkzhSbfA:7bUXA4Vv9eoyt8Ae07K2CUdiWajOHe

Score

10^/10

vidar 850dc0663d2676536f88b82b3382fcb4 spyware stealer

Malware Config

Extracted

Family

vidar

Version

4.1

Botnet

850dc0663d2676536f88b82b3382fcb4

C2

https://steamcommunity.com/profiles/76561199510444991

https://t.me/task4manager

Attributes

profile_id_v2
850dc0663d2676536f88b82b3382fcb4
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.34

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	bank_statement.scr

Loads dropped DLL 2 IoCs

pid	Process
232	AddInProcess32.exe
232	AddInProcess32.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2704 set thread context of 232	2704	bank_statement.scr	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AddInProcess32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
2704	bank_statement.scr
3328	powershell.exe
3328	powershell.exe
2220	powershell.exe
2220	powershell.exe
232	AddInProcess32.exe
232	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 3328	2704	bank_statement.scr	85
PID 2704 wrote to memory of 3328	2704	bank_statement.scr	85
PID 2704 wrote to memory of 232	2704	bank_statement.scr	88
PID 2704 wrote to memory of 232	2704	bank_statement.scr	88
PID 2704 wrote to memory of 232	2704	bank_statement.scr	88
PID 2704 wrote to memory of 2220	2704	bank_statement.scr	89
PID 2704 wrote to memory of 2220	2704	bank_statement.scr	89
PID 2704 wrote to memory of 232	2704	bank_statement.scr	88
PID 2704 wrote to memory of 232	2704	bank_statement.scr	88
PID 2704 wrote to memory of 232	2704	bank_statement.scr	88
PID 2704 wrote to memory of 232	2704	bank_statement.scr	88
PID 2704 wrote to memory of 232	2704	bank_statement.scr	88
PID 2704 wrote to memory of 232	2704	bank_statement.scr	88

C:\Users\Admin\AppData\Local\Temp\bank_statement.scr
"C:\Users\Admin\AppData\Local\Temp\bank_statement.scr" /S
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3af0fe7f6bead950f076de281a5a1d2

SHA1
e55d189a5525b7871835548e5f777de0ff42e755

SHA256
ce484ca22f8966e31b9b5aafef1a970d37525122fb7c9d39976e743264f77890

SHA512
9818ad2387ceba8fe3afbe60070354c39eb13783653e8e28c84bd7e61678627942a6df06778d4e4b72d525c843d74bd97e4edc93af960e45500912e41c2c5693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cpui1uvy.xjk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/232-188-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/232-178-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/232-175-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/232-256-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/232-257-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2220-173-0x00000201F8DD0000-0x00000201F8DE0000-memory.dmp

Filesize
64KB

Download
memory/2220-172-0x00000201F8DD0000-0x00000201F8DE0000-memory.dmp

Filesize
64KB

Download
memory/2220-171-0x00000201F8DD0000-0x00000201F8DE0000-memory.dmp

Filesize
64KB

Download
memory/2704-139-0x00007FF94C230000-0x00007FF94C232000-memory.dmp

Filesize
8KB

Download
memory/2704-177-0x0000000001FA0000-0x0000000002023000-memory.dmp

Filesize
524KB

Download
memory/2704-134-0x00007FF94E5A0000-0x00007FF94E5A2000-memory.dmp

Filesize
8KB

Download
memory/2704-135-0x00007FF94E5B0000-0x00007FF94E5B2000-memory.dmp

Filesize
8KB

Download
memory/2704-154-0x0000000001FA0000-0x0000000002023000-memory.dmp

Filesize
524KB

Download
memory/2704-136-0x00007FF94E060000-0x00007FF94E062000-memory.dmp

Filesize
8KB

Download
memory/2704-140-0x0000000140000000-0x00000001428FF000-memory.dmp

Filesize
41.0MB

Download
memory/2704-137-0x00007FF94E070000-0x00007FF94E072000-memory.dmp

Filesize
8KB

Download
memory/2704-133-0x00007FF94E590000-0x00007FF94E592000-memory.dmp

Filesize
8KB

Download
memory/2704-138-0x00007FF94C220000-0x00007FF94C222000-memory.dmp

Filesize
8KB

Download
memory/3328-157-0x0000014499660000-0x0000014499670000-memory.dmp

Filesize
64KB

Download
memory/3328-144-0x00000144997F0000-0x0000014499812000-memory.dmp

Filesize
136KB

Download
memory/3328-155-0x0000014499660000-0x0000014499670000-memory.dmp

Filesize
64KB

Download
memory/3328-156-0x0000014499660000-0x0000014499670000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads