vidar | 6befb001c108f7c45d2a391239785bd97cab9fd2a7ae579b724894827f11a443

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23/08/2023, 22:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.0MB
MD5

e128709bd0f63971fc54e23fbb03b556
SHA1

50ecd6e8f46643a9d044db9c1daf227c496792e4
SHA256

6befb001c108f7c45d2a391239785bd97cab9fd2a7ae579b724894827f11a443
SHA512

7ad099acb32819879280ea78569309b571de62a3fff12d70aae684167e62c8190e2a34d8adf4d8ed44d6768e8bd466ab8d7eb08e62ae87c857272ba853dc2617
SSDEEP

24576:qnB5rKkCqRA9TkDDTP0BmGJXIfGrcG3Ajimp:qnB5rKkCF9Tkry0Gr2p

Score

10^/10

vidar 974b0402eb06bfc59c13e30e8683b76c spyware stealer

Malware Config

Extracted

Family

vidar

Version

5.3

Botnet

974b0402eb06bfc59c13e30e8683b76c

https://t.me/buukcay

https://steamcommunity.com/profiles/76561199544211655

Attributes

profile_id_v2
974b0402eb06bfc59c13e30e8683b76c

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Loads dropped DLL 2 IoCs

pid	Process
2320	vbc.exe
2320	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 2320	2376	file.exe	30

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2376	file.exe
2376	file.exe
2320	vbc.exe
2320	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	file.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2984	2376	file.exe	28
PID 2376 wrote to memory of 2984	2376	file.exe	28
PID 2376 wrote to memory of 2984	2376	file.exe	28
PID 2376 wrote to memory of 2984	2376	file.exe	28
PID 2376 wrote to memory of 1628	2376	file.exe	29
PID 2376 wrote to memory of 1628	2376	file.exe	29
PID 2376 wrote to memory of 1628	2376	file.exe	29
PID 2376 wrote to memory of 1628	2376	file.exe	29
PID 2376 wrote to memory of 2320	2376	file.exe	30
PID 2376 wrote to memory of 2320	2376	file.exe	30
PID 2376 wrote to memory of 2320	2376	file.exe	30
PID 2376 wrote to memory of 2320	2376	file.exe	30
PID 2376 wrote to memory of 2320	2376	file.exe	30
PID 2376 wrote to memory of 2320	2376	file.exe	30
PID 2376 wrote to memory of 2320	2376	file.exe	30
PID 2376 wrote to memory of 2320	2376	file.exe	30
PID 2376 wrote to memory of 2320	2376	file.exe	30
PID 2376 wrote to memory of 2320	2376	file.exe	30

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e56ec378251cd65923ad88c1e14d0b6e

SHA1
7f5d986e0a34dd81487f6439fb0446ffa52a712e

SHA256
32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

SHA512
2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB820.tmp

Filesize
163KB

MD5
19399ab248018076e27957e772bcfbab

SHA1
faef897e02d9501146beb49f75da1caf12967b88

SHA256
326842dd8731e37c8c27a08373c7ac341e6c72226cc850084e3a17d26675f3c9

SHA512
6d5b12ec637ef4223fdd0e271cdc9f860b060ff08d380bba546ac6962b1d672003f9ae9556d65282d8083e830d4277bad8d16443720716077e542ab0262b0103

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/2320-73-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2320-164-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2320-58-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2320-71-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2320-69-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2320-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2320-66-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2320-64-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2320-62-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2320-60-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2376-18-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-55-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2376-26-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-28-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-30-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-32-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-34-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-36-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-38-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-40-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-42-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-46-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-52-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-54-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-50-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-48-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-44-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-24-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-56-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/2376-57-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2376-22-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-20-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-0-0x0000000000BB0000-0x0000000000DAA000-memory.dmp

Filesize
2.0MB

Download
memory/2376-16-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-14-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-12-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-10-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-8-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-72-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2376-6-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-5-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/2376-4-0x00000000008D0000-0x00000000008FA000-memory.dmp

Filesize
168KB

Download
memory/2376-3-0x00000000048F0000-0x0000000004996000-memory.dmp

Filesize
664KB

Download
memory/2376-2-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/2376-1-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download