vidar | fa70210641dbdb01ebd60ff4b1e39efeeaa16d4570ef97f9f20824f5adb7d43c

Analysis

max time kernel
124s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 12:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

r3azexe.exe
Size

18.2MB
MD5

2bf6ddc2abe23a073214f97644b3b7dd
SHA1

1d8235fb23afe858e75f2a845fcdbf9a54475d92
SHA256

fa70210641dbdb01ebd60ff4b1e39efeeaa16d4570ef97f9f20824f5adb7d43c
SHA512

3b743e4b9fa20dec2db95a1d40ec844141895b870e0a9a19d7c8daa19fd41274309f25ce297cd95069265da25e0ea23b7f26e1086bb8cced1fdccf43afb6e335
SSDEEP

393216:MR/zZKuDHO7G9ysRXm31AB8I7j1ZxRNibP0aVesOPG:Y/zBuq9L8Anj19NWPZ

Score

10^/10

vidar e7ea1e37142cdab711cad668b60e14ab spyware stealer

Malware Config

Extracted

Family

vidar

Version

4.6

Botnet

e7ea1e37142cdab711cad668b60e14ab

https://steamcommunity.com/profiles/76561199523054520

https://t.me/game4serv

Attributes

profile_id_v2
e7ea1e37142cdab711cad668b60e14ab
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Executes dropped EXE 2 IoCs

pid	Process
4624	r3azexe.tmp
4616	pythonw.exe

Loads dropped DLL 7 IoCs

pid	Process
4624	r3azexe.tmp
4624	r3azexe.tmp
4624	r3azexe.tmp
4616	pythonw.exe
4616	pythonw.exe
648	explorer.exe
648	explorer.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4616 set thread context of 748	4616	pythonw.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1688	648	WerFault.exe	96

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4624	r3azexe.tmp
4624	r3azexe.tmp
4616	pythonw.exe
748	ftp.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4616	pythonw.exe
748	ftp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4624	r3azexe.tmp
4624	r3azexe.tmp

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4624	r3azexe.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 4624	3752	r3azexe.exe	89
PID 3752 wrote to memory of 4624	3752	r3azexe.exe	89
PID 3752 wrote to memory of 4624	3752	r3azexe.exe	89
PID 4624 wrote to memory of 4616	4624	r3azexe.tmp	90
PID 4624 wrote to memory of 4616	4624	r3azexe.tmp	90
PID 4616 wrote to memory of 748	4616	pythonw.exe	91
PID 4616 wrote to memory of 748	4616	pythonw.exe	91
PID 4616 wrote to memory of 748	4616	pythonw.exe	91
PID 4616 wrote to memory of 748	4616	pythonw.exe	91
PID 748 wrote to memory of 648	748	ftp.exe	96
PID 748 wrote to memory of 648	748	ftp.exe	96
PID 748 wrote to memory of 648	748	ftp.exe	96
PID 748 wrote to memory of 648	748	ftp.exe	96
PID 748 wrote to memory of 648	748	ftp.exe	96

C:\Users\Admin\AppData\Local\Temp\r3azexe.exe
"C:\Users\Admin\AppData\Local\Temp\r3azexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Users\Admin\AppData\Local\Temp\is-D1E51.tmp\r3azexe.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D1E51.tmp\r3azexe.tmp" /SL5="$90204,18016680,1111552,C:\Users\Admin\AppData\Local\Temp\r3azexe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\is-VVJ71.tmp+!@\ShellExtension_1.0.0.2_x64__y9tkjeeo9dvr4\Packages\pythonw.exe
    "C:\Users\Admin\AppData\Local\Temp\is-VVJ71.tmp+!@\ShellExtension_1.0.0.2_x64__y9tkjeeo9dvr4\Packages\pythonw.exe" /VERYSILENT /SUPPRESSMSGBOXES /NOCANCEL /FORCECLOSEAPPLICATIONS /SP- /portable=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\SysWOW64\ftp.exe
      "C:\Windows\SysWOW64\ftp.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1860
        6⤵
        Program crash
        
        PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 648 -ip 648
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\37a7d8d9

Filesize
3.5MB

MD5
dcb177810c87cb7c3aff0d8e5a13b65a

SHA1
ecd3473816660fce159f0d997e093779bd567b25

SHA256
5950bd9bb14011a7cb7010ac16e6ebd42b86afc358a8a6945c5981d2abb973d3

SHA512
0decc0a6bb3d694ddd9ea8d1d9a80cda3b9e22a38a07f7c15d08cf1661a8c15eb0e49c1c0178ad6ca1afe680e098e378eb396a043a82f3b87c54d6101bba111b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D1E51.tmp\r3azexe.tmp

Filesize
3.3MB

MD5
8c0316be76fbf77df4136a62479f63d8

SHA1
72ca458005bf3a5d66c92060c549960adb6308f1

SHA256
022a0a6ba7998c811d8e11a0c13a75bed6f543413d610d94d192aa0613519eb0

SHA512
532e65b4908863b026178498fcd6b5d7b4183199c52b925c98833baaa4a825ca50cf03ef84125b772e8391b20a35372b3a1de3621c0e5e7a22955702fdced980

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VVJ71.tmp+!@\ShellExtension_1.0.0.2_x64__y9tkjeeo9dvr4\Packages\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VVJ71.tmp+!@\ShellExtension_1.0.0.2_x64__y9tkjeeo9dvr4\Packages\pw.txt

Filesize
10.2MB

MD5
030575ae0e5838d0b5470291037fac78

SHA1
f6262fd6727356fac52b8036e2a971832c5971af

SHA256
23ce709053b4acd2ebf8a92021d75b100b8c39d6bd638bec7d59b7f88f0516d5

SHA512
bcd0bdcc9b8efa217f663b5beab5a4125a7f7a70c1ef27c2eee30e2f024da90645e48d2fc0908f72bb8a06f412364f1aad1f8609dfd9e000b74306ae9474bf59

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VVJ71.tmp+!@\ShellExtension_1.0.0.2_x64__y9tkjeeo9dvr4\Packages\python311.dll

Filesize
5.5MB

MD5
95f677bfde12c28238b22dd7d4c79f41

SHA1
d639c92b44463552bfb424e8e367d423ec9b43f3

SHA256
61a8e867f661363f8650078f4aab409412b9b867c735476b0c4f1492e248ee1e

SHA512
f84148257fe68122c5a83f4b83d365922793e357b863194e4df73f5c4841d082c49fb62ba7f2e7742fdd0b824dc243c317d5bc16cf39f41673f7c575a3b5291f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VVJ71.tmp+!@\ShellExtension_1.0.0.2_x64__y9tkjeeo9dvr4\Packages\python311.dll

Filesize
5.5MB

MD5
95f677bfde12c28238b22dd7d4c79f41

SHA1
d639c92b44463552bfb424e8e367d423ec9b43f3

SHA256
61a8e867f661363f8650078f4aab409412b9b867c735476b0c4f1492e248ee1e

SHA512
f84148257fe68122c5a83f4b83d365922793e357b863194e4df73f5c4841d082c49fb62ba7f2e7742fdd0b824dc243c317d5bc16cf39f41673f7c575a3b5291f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VVJ71.tmp+!@\ShellExtension_1.0.0.2_x64__y9tkjeeo9dvr4\Packages\pythonw.exe

Filesize
99KB

MD5
9d0f19a3fdf077fc90cb1055018669fd

SHA1
0a5ade59ac8a697f6ea7f437be85e2d378597d5d

SHA256
695ec4080f596f485e4e36de383a32f18042bc13620cf93ba5708ec354b6ca0d

SHA512
ad4eb8f3a99122aff390b32de6394b604144c6bf5caa393cfe3b02c8c5df9508d346fb88e0d2c72591a05b5340937ee85f6b244583db9d19deecb2115de6d69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VVJ71.tmp+!@\ShellExtension_1.0.0.2_x64__y9tkjeeo9dvr4\Packages\vcruntime140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VVJ71.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VVJ71.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VVJ71.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
memory/648-186-0x0000000000C90000-0x0000000000FC2000-memory.dmp

Filesize
3.2MB

Download
memory/648-187-0x00007FFCAAEF0000-0x00007FFCAB0E5000-memory.dmp

Filesize
2.0MB

Download
memory/648-188-0x0000000000C90000-0x0000000000FC2000-memory.dmp

Filesize
3.2MB

Download
memory/648-199-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/648-251-0x0000000000C90000-0x0000000000FC2000-memory.dmp

Filesize
3.2MB

Download
memory/648-269-0x0000000000C90000-0x0000000000FC2000-memory.dmp

Filesize
3.2MB

Download
memory/748-185-0x00007FFCAAEF0000-0x00007FFCAB0E5000-memory.dmp

Filesize
2.0MB

Download
memory/3752-181-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3752-133-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4616-182-0x00007FFC8B900000-0x00007FFC8CF77000-memory.dmp

Filesize
22.5MB

Download
memory/4624-179-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/4624-148-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/4624-146-0x0000000003740000-0x0000000003755000-memory.dmp

Filesize
84KB

Download