vidar | c8e45719240f875784086abcc66cdbf68a102c1d3d5edabb0c7da44516621e51

General

Target

bank_statement.scr.exe
Size

37.0MB
MD5

61e6735126b6504424d090ac796f8a49
SHA1

7e8838d573b193beedfa12ff74e1e4933944587a
SHA256

c8e45719240f875784086abcc66cdbf68a102c1d3d5edabb0c7da44516621e51
SHA512

b24367cca3405aed1f55517242b4680d94cc149ba8bc112af5eb37ba2c86e873a11b7ee117138a0ffc1597e6e175d2d1f9db0c79188cb9cbc5d2cfb5edf3ed9c
SSDEEP

393216:NS3GX6iThaMcP5L56QHbe/klf3FWpis6n93CnVspY9rw20amy/dtzEvQ4iD6t+t2:a3iTkFVBn9Tpkw3dUzMri2ty7I9

Score

10^/10

vidar 655d9e590e95375f4ab0b3055662ab2e spyware stealer

Malware Config

Extracted

Family

vidar

Version

4.2

Botnet

655d9e590e95375f4ab0b3055662ab2e

C2

https://steamcommunity.com/profiles/76561199511129510

https://t.me/rechnungsbetrag

Attributes

profile_id_v2
655d9e590e95375f4ab0b3055662ab2e
user_agent
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	bank_statement.scr.exe

Loads dropped DLL 2 IoCs

pid	Process
4872	AddInProcess32.exe
4872	AddInProcess32.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 4872	2196	bank_statement.scr.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AddInProcess32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AddInProcess32.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4852	timeout.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
2196	bank_statement.scr.exe
1820	powershell.exe
1820	powershell.exe
1440	powershell.exe
1440	powershell.exe
2064	powershell.exe
2064	powershell.exe
4872	AddInProcess32.exe
4872	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1820	2196	bank_statement.scr.exe	83
PID 2196 wrote to memory of 1820	2196	bank_statement.scr.exe	83
PID 2196 wrote to memory of 3356	2196	bank_statement.scr.exe	85
PID 2196 wrote to memory of 3356	2196	bank_statement.scr.exe	85
PID 2196 wrote to memory of 3356	2196	bank_statement.scr.exe	85
PID 2196 wrote to memory of 1440	2196	bank_statement.scr.exe	86
PID 2196 wrote to memory of 1440	2196	bank_statement.scr.exe	86
PID 2196 wrote to memory of 4872	2196	bank_statement.scr.exe	94
PID 2196 wrote to memory of 4872	2196	bank_statement.scr.exe	94
PID 2196 wrote to memory of 4872	2196	bank_statement.scr.exe	94
PID 2196 wrote to memory of 2064	2196	bank_statement.scr.exe	95
PID 2196 wrote to memory of 2064	2196	bank_statement.scr.exe	95
PID 2196 wrote to memory of 4872	2196	bank_statement.scr.exe	94
PID 2196 wrote to memory of 4872	2196	bank_statement.scr.exe	94
PID 2196 wrote to memory of 4872	2196	bank_statement.scr.exe	94
PID 2196 wrote to memory of 4872	2196	bank_statement.scr.exe	94
PID 2196 wrote to memory of 4872	2196	bank_statement.scr.exe	94
PID 2196 wrote to memory of 4872	2196	bank_statement.scr.exe	94
PID 4872 wrote to memory of 3288	4872	AddInProcess32.exe	98
PID 4872 wrote to memory of 3288	4872	AddInProcess32.exe	98
PID 4872 wrote to memory of 3288	4872	AddInProcess32.exe	98
PID 3288 wrote to memory of 4852	3288	cmd.exe	100
PID 3288 wrote to memory of 4852	3288	cmd.exe	100
PID 3288 wrote to memory of 4852	3288	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\bank_statement.scr.exe
"C:\Users\Admin\AppData\Local\Temp\bank_statement.scr.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:3356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:4852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3db5a3b556b01c59c5812cb86abb674e

SHA1
3848e5419d5c47879f159247e4f1b08005674cf0

SHA256
218d487f881ce9640acd16f7476b445471b83671569e99973f77d0bbf6c42ffa

SHA512
3eb6575d3e476053a65b2631b0cd0d584056ca476058ee2706c69fe10b0502460c40f8985f1f4666e42fba2809924f6dc34ba2e9b2629217542e45cb3640adcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f996b44e71bcf8e9d9bd5ef2a96a963

SHA1
61a10fcfb7bad1271f7132c7491982a916489af0

SHA256
78d612ffa268c2871faf8e656889f9ec6475890ff2763410dbf434a343ad9a0d

SHA512
84815d678a672aa99d4834fa4c0a42089bec36da593caabc337dc66180a8ebd0131e65fb68ba645d3d68e80a5e7808e0dcf5b0ff1cb2a46786d532b088b44515

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4lmourhj.wua.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1440-170-0x000001CDE1320000-0x000001CDE1330000-memory.dmp

Filesize
64KB

Download
memory/1440-171-0x000001CDE1320000-0x000001CDE1330000-memory.dmp

Filesize
64KB

Download
memory/1440-172-0x000001CDE1320000-0x000001CDE1330000-memory.dmp

Filesize
64KB

Download
memory/1820-150-0x00000149D10E0000-0x00000149D1102000-memory.dmp

Filesize
136KB

Download
memory/1820-155-0x00000149CEFF0000-0x00000149CF000000-memory.dmp

Filesize
64KB

Download
memory/1820-154-0x00000149CEFF0000-0x00000149CF000000-memory.dmp

Filesize
64KB

Download
memory/1820-156-0x00000149CEFF0000-0x00000149CF000000-memory.dmp

Filesize
64KB

Download
memory/2064-185-0x00000247B2350000-0x00000247B2360000-memory.dmp

Filesize
64KB

Download
memory/2064-184-0x00000247B2350000-0x00000247B2360000-memory.dmp

Filesize
64KB

Download
memory/2064-186-0x00000247B2350000-0x00000247B2360000-memory.dmp

Filesize
64KB

Download
memory/2196-137-0x00007FFDA8AA0000-0x00007FFDA8AA2000-memory.dmp

Filesize
8KB

Download
memory/2196-140-0x00007FF72F840000-0x00007FF73348C000-memory.dmp

Filesize
60.3MB

Download
memory/2196-136-0x00007FFDA8A90000-0x00007FFDA8A92000-memory.dmp

Filesize
8KB

Download
memory/2196-138-0x00007FFDA6E60000-0x00007FFDA6E62000-memory.dmp

Filesize
8KB

Download
memory/2196-139-0x00007FFDA6E70000-0x00007FFDA6E72000-memory.dmp

Filesize
8KB

Download
memory/2196-133-0x00007FFDA9010000-0x00007FFDA9012000-memory.dmp

Filesize
8KB

Download
memory/2196-135-0x00007FFDA9030000-0x00007FFDA9032000-memory.dmp

Filesize
8KB

Download
memory/2196-134-0x00007FFDA9020000-0x00007FFDA9022000-memory.dmp

Filesize
8KB

Download
memory/4872-188-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4872-190-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4872-200-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4872-241-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4872-242-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads