vidar | d6a373eb8f771884afc984fba23ff81b034146282f9285e5beaf5eb31d886366

Analysis

max time kernel
118s
max time network
162s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
06/08/2023, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6a373eb8f771884afc984fba23ff81b034146282f9285e5beaf5eb31d886366.exe
Size

614KB
MD5

f2e35af2013a8cf04a5ab63348b6958d
SHA1

eca2a467462ff167d3511ca0fdd5373228612718
SHA256

d6a373eb8f771884afc984fba23ff81b034146282f9285e5beaf5eb31d886366
SHA512

5609c88267fbf4452c7dd0b2e7bc97e2e02752b2333993ea0e9f91425fd9315b626ada9a392210224ed2fe7da1fdf57e7a74837b38a31ef5b57e18af791a5ad7
SSDEEP

12288:0hqxSLo5C1Ps4XhAjN8GVNoBlR+m651ItSpDvg6q/BCOg:0HLmCiIhoB7oFSzIYtUxg

Score

10^/10

vidar 43a6ce95ca0edbaf09babc2b3d43fe58 spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

43a6ce95ca0edbaf09babc2b3d43fe58

https://t.me/versozaline

https://steamcommunity.com/profiles/76561199532186526

Attributes

profile_id_v2
43a6ce95ca0edbaf09babc2b3d43fe58
user_agent
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Executes dropped EXE 2 IoCs

pid	Process
2104	work.exe
3052	fwa.exe

Loads dropped DLL 7 IoCs

pid	Process
2532	cmd.exe
2104	work.exe
2104	work.exe
2104	work.exe
2104	work.exe
3052	fwa.exe
3052	fwa.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	fwa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	fwa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	fwa.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3052	fwa.exe
3052	fwa.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2532	2676	d6a373eb8f771884afc984fba23ff81b034146282f9285e5beaf5eb31d886366.exe	28
PID 2676 wrote to memory of 2532	2676	d6a373eb8f771884afc984fba23ff81b034146282f9285e5beaf5eb31d886366.exe	28
PID 2676 wrote to memory of 2532	2676	d6a373eb8f771884afc984fba23ff81b034146282f9285e5beaf5eb31d886366.exe	28
PID 2676 wrote to memory of 2532	2676	d6a373eb8f771884afc984fba23ff81b034146282f9285e5beaf5eb31d886366.exe	28
PID 2532 wrote to memory of 2104	2532	cmd.exe	30
PID 2532 wrote to memory of 2104	2532	cmd.exe	30
PID 2532 wrote to memory of 2104	2532	cmd.exe	30
PID 2532 wrote to memory of 2104	2532	cmd.exe	30
PID 2104 wrote to memory of 3052	2104	work.exe	31
PID 2104 wrote to memory of 3052	2104	work.exe	31
PID 2104 wrote to memory of 3052	2104	work.exe	31
PID 2104 wrote to memory of 3052	2104	work.exe	31

C:\Users\Admin\AppData\Local\Temp\d6a373eb8f771884afc984fba23ff81b034146282f9285e5beaf5eb31d886366.exe
"C:\Users\Admin\AppData\Local\Temp\d6a373eb8f771884afc984fba23ff81b034146282f9285e5beaf5eb31d886366.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\fwa.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\fwa.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB9DF.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
472KB

MD5
d6e431913e1d69ef6c4ec19ba446f358

SHA1
2df7f0c45a010e7a45e746aecfd6234f71e7109e

SHA256
1e92acabf037a60e7fbb97c0ba73e997bb4b602ad51333871423b778cae4f0b1

SHA512
959f165c8a5d2bc2f186968369ddcbd41a4ce75254e68f649d363d4ac1d1ff501eaef08e8ce03e4c2951155f34dbf2422d57470cf784a5aa29f9e260efd08dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
472KB

MD5
d6e431913e1d69ef6c4ec19ba446f358

SHA1
2df7f0c45a010e7a45e746aecfd6234f71e7109e

SHA256
1e92acabf037a60e7fbb97c0ba73e997bb4b602ad51333871423b778cae4f0b1

SHA512
959f165c8a5d2bc2f186968369ddcbd41a4ce75254e68f649d363d4ac1d1ff501eaef08e8ce03e4c2951155f34dbf2422d57470cf784a5aa29f9e260efd08dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fwa.exe

Filesize
467KB

MD5
1f389ce8dd14fa092a05104ef99ae174

SHA1
bed9a333fde16a8895d443a9b454649e16083b02

SHA256
8463de48951e8efed8a7c23cc5bc70a95ef7006f5d620f458f3f9f7732f889ae

SHA512
aad444df8f998c73be5819cb5e045a95fe9714aaeb049cc65f89b86770ea44afe277564f0f2fdc88b4cf97aa69b8fe7291f1b22c711c934ac2f0f7fb3bd2895d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fwa.exe

Filesize
467KB

MD5
1f389ce8dd14fa092a05104ef99ae174

SHA1
bed9a333fde16a8895d443a9b454649e16083b02

SHA256
8463de48951e8efed8a7c23cc5bc70a95ef7006f5d620f458f3f9f7732f889ae

SHA512
aad444df8f998c73be5819cb5e045a95fe9714aaeb049cc65f89b86770ea44afe277564f0f2fdc88b4cf97aa69b8fe7291f1b22c711c934ac2f0f7fb3bd2895d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBAAD.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
472KB

MD5
d6e431913e1d69ef6c4ec19ba446f358

SHA1
2df7f0c45a010e7a45e746aecfd6234f71e7109e

SHA256
1e92acabf037a60e7fbb97c0ba73e997bb4b602ad51333871423b778cae4f0b1

SHA512
959f165c8a5d2bc2f186968369ddcbd41a4ce75254e68f649d363d4ac1d1ff501eaef08e8ce03e4c2951155f34dbf2422d57470cf784a5aa29f9e260efd08dc8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\fwa.exe

Filesize
467KB

MD5
1f389ce8dd14fa092a05104ef99ae174

SHA1
bed9a333fde16a8895d443a9b454649e16083b02

SHA256
8463de48951e8efed8a7c23cc5bc70a95ef7006f5d620f458f3f9f7732f889ae

SHA512
aad444df8f998c73be5819cb5e045a95fe9714aaeb049cc65f89b86770ea44afe277564f0f2fdc88b4cf97aa69b8fe7291f1b22c711c934ac2f0f7fb3bd2895d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\fwa.exe

Filesize
467KB

MD5
1f389ce8dd14fa092a05104ef99ae174

SHA1
bed9a333fde16a8895d443a9b454649e16083b02

SHA256
8463de48951e8efed8a7c23cc5bc70a95ef7006f5d620f458f3f9f7732f889ae

SHA512
aad444df8f998c73be5819cb5e045a95fe9714aaeb049cc65f89b86770ea44afe277564f0f2fdc88b4cf97aa69b8fe7291f1b22c711c934ac2f0f7fb3bd2895d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\fwa.exe

Filesize
467KB

MD5
1f389ce8dd14fa092a05104ef99ae174

SHA1
bed9a333fde16a8895d443a9b454649e16083b02

SHA256
8463de48951e8efed8a7c23cc5bc70a95ef7006f5d620f458f3f9f7732f889ae

SHA512
aad444df8f998c73be5819cb5e045a95fe9714aaeb049cc65f89b86770ea44afe277564f0f2fdc88b4cf97aa69b8fe7291f1b22c711c934ac2f0f7fb3bd2895d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\fwa.exe

Filesize
467KB

MD5
1f389ce8dd14fa092a05104ef99ae174

SHA1
bed9a333fde16a8895d443a9b454649e16083b02

SHA256
8463de48951e8efed8a7c23cc5bc70a95ef7006f5d620f458f3f9f7732f889ae

SHA512
aad444df8f998c73be5819cb5e045a95fe9714aaeb049cc65f89b86770ea44afe277564f0f2fdc88b4cf97aa69b8fe7291f1b22c711c934ac2f0f7fb3bd2895d

Download Submit
memory/3052-138-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download