vidar | 6ba3d50f87b4c2c81a8ab9247f2fafa6f4ec31d1f3acffbdb40a83ab351df9be

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2023 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90c4d8c8f396f66d9b556ab05344a8cd.exe
Size

93KB
MD5

90c4d8c8f396f66d9b556ab05344a8cd
SHA1

4869f0a7a3a68f4638556e9df0eef34ea0fdc9d7
SHA256

6ba3d50f87b4c2c81a8ab9247f2fafa6f4ec31d1f3acffbdb40a83ab351df9be
SHA512

4d5a61a89f6e003b92f093385bd56f5d798ac73c1cc524b261a3ff704d251ef1cb450177404651b072feab954c94f617a88bdb55620920ac620c2c115d6b960f
SSDEEP

1536:Irae78zjORCDGwfdCSog01313OQs5gcURDoq4OZZZLlCIibQwfclq8wJ:AahKyd2n31+Z5IRD68wbQbl4J

Score

10^/10

vidar 89433a6dbe159bb95b623839dcca3e27 persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

4.3

Botnet

89433a6dbe159bb95b623839dcca3e27

https://steamcommunity.com/profiles/76561199514261168

https://t.me/kamaprimo

Attributes

profile_id_v2
89433a6dbe159bb95b623839dcca3e27
user_agent
Mozilla/5.0 (Linux; U; Tizen 2.0; en-us) AppleWebKit/537.1 (KHTML, like Gecko) Mobile TizenBrowser/2.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Executes dropped EXE 2 IoCs

pid	Process
2904	lieequipment.exe
4256	lieequipment0.exe

Loads dropped DLL 2 IoCs

pid	Process
4624	AppLaunch.exe
4624	AppLaunch.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	90c4d8c8f396f66d9b556ab05344a8cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	90c4d8c8f396f66d9b556ab05344a8cd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2904 set thread context of 4624	2904	lieequipment.exe	92

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	lieequipment.exe
Token: SeDebugPrivilege	4256	lieequipment0.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 2904	4232	90c4d8c8f396f66d9b556ab05344a8cd.exe	84
PID 4232 wrote to memory of 2904	4232	90c4d8c8f396f66d9b556ab05344a8cd.exe	84
PID 4232 wrote to memory of 2904	4232	90c4d8c8f396f66d9b556ab05344a8cd.exe	84
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 4232 wrote to memory of 4256	4232	90c4d8c8f396f66d9b556ab05344a8cd.exe	93
PID 4232 wrote to memory of 4256	4232	90c4d8c8f396f66d9b556ab05344a8cd.exe	93

C:\Users\Admin\AppData\Local\Temp\90c4d8c8f396f66d9b556ab05344a8cd.exe
"C:\Users\Admin\AppData\Local\Temp\90c4d8c8f396f66d9b556ab05344a8cd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4624
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment0.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment.exe

Filesize
16KB

MD5
1b50dfac3f2bfb78cdf4601b8e1b5c61

SHA1
63c08f6cbc2540e0dd31e6ca0e8d649f26abc57e

SHA256
18101e579338bca278f44f05e1fdb3e7efdd13bc426a37bba23b6217263ebfcb

SHA512
d3fda38fb10d5377c033c63a81a825a04906843e4e83f33162e9f495d17ffdd17355c173aa61c8358ad8094d433bfe633de9864f4918d287c8e9ab98393177f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment.exe

Filesize
16KB

MD5
1b50dfac3f2bfb78cdf4601b8e1b5c61

SHA1
63c08f6cbc2540e0dd31e6ca0e8d649f26abc57e

SHA256
18101e579338bca278f44f05e1fdb3e7efdd13bc426a37bba23b6217263ebfcb

SHA512
d3fda38fb10d5377c033c63a81a825a04906843e4e83f33162e9f495d17ffdd17355c173aa61c8358ad8094d433bfe633de9864f4918d287c8e9ab98393177f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment0.exe

Filesize
16KB

MD5
3fbb7eeb588e7f4dfb7226b4c9e3b4eb

SHA1
2741b26fbf15dd3966ccacc70f07abc5fc3787c0

SHA256
adb08edeb6ecb03217dfa385358ade3e984e40ecb379ef1e83cf5ceb133044d1

SHA512
f8d1e43649430758d05ec2e214939b1778dafe8f731974425d8710f4d1a4afbb341deedd3bb889340889a514acd62c83b8f8378bbbe235e864fb209d2db539d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment0.exe

Filesize
16KB

MD5
3fbb7eeb588e7f4dfb7226b4c9e3b4eb

SHA1
2741b26fbf15dd3966ccacc70f07abc5fc3787c0

SHA256
adb08edeb6ecb03217dfa385358ade3e984e40ecb379ef1e83cf5ceb133044d1

SHA512
f8d1e43649430758d05ec2e214939b1778dafe8f731974425d8710f4d1a4afbb341deedd3bb889340889a514acd62c83b8f8378bbbe235e864fb209d2db539d7

Download Submit
memory/2904-171-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-181-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-142-0x0000000006990000-0x0000000006F34000-memory.dmp

Filesize
5.6MB

Download
memory/2904-143-0x00000000064E0000-0x0000000006572000-memory.dmp

Filesize
584KB

Download
memory/2904-144-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-145-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-147-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-149-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-151-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-153-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-155-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-157-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-159-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-161-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-163-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-165-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-167-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-169-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-140-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/2904-173-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-175-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-177-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-179-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-141-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/2904-183-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-185-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-187-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-189-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-191-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-193-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-195-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-197-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-199-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-201-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-203-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-205-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-207-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-1066-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/2904-1067-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/4256-1075-0x0000026E07180000-0x0000026E0718A000-memory.dmp

Filesize
40KB

Download
memory/4256-1085-0x0000026E21700000-0x0000026E21710000-memory.dmp

Filesize
64KB

Download
memory/4256-2079-0x0000026E08E70000-0x0000026E08E71000-memory.dmp

Filesize
4KB

Download
memory/4256-2080-0x0000026E21700000-0x0000026E21710000-memory.dmp

Filesize
64KB

Download
memory/4624-1076-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4624-1535-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download