vidar | c484af9d90f4ee9db8f065be845eb6f47d7281e769e6e35a083790a6d66e4391

General

Target

Presentation info/Presentation info.exe
Size

93.2MB
MD5

e06a97f4714b6d0e62c51b3395a64a6e
SHA1

870e5cc5a18acb41c1377c6a47b4cef76723a2e1
SHA256

5e374fbc3960dd68c2cef4209851103f5623957e9815a0be720befd7899d3cc0
SHA512

b0483408723e5bd786d8170c2b46c25d1f37f2bca9f0f6855c8b94a2acea914dd45a3e479299bd9aeb920d6966667b729e7cbe4a03126945d90e4f33c7169df7
SSDEEP

1572864:UjA+Zh4QkjGuWsqebzyuGqNMnKuEqHhaPd5nC8DDkeZZZZZsOKa1pVeOKCr7ZPo:UjA+P43jRWshbzyuNMnlEqIPrzDkeZZs

Score

10^/10

vidar 86277575c381e1fefb9bf290d771e6f1 spyware stealer

Malware Config

Extracted

Family

vidar

Version

5.4

Botnet

86277575c381e1fefb9bf290d771e6f1

C2

https://steamcommunity.com/profiles/76561199545993403

http://79.137.206.192:80

https://t.me/vogogor

Attributes

profile_id_v2
86277575c381e1fefb9bf290d771e6f1
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.2.13 (KHTML, like Gecko) Version/16.5.2 Safari/605.2.13

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Presentation info.exe

description pid process target process

PID 1192 created 3236 1192 Presentation info.exe Explorer.EXE
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Executes dropped EXE 1 IoCs

Processes:

GUP.exe

pid process

2132 GUP.exe
Loads dropped DLL 3 IoCs

Processes:

GUP.exeexplorer.exe

pid process

2132 GUP.exe
3000 explorer.exe
3000 explorer.exe
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

GUP.exe

description pid process target process

PID 2132 set thread context of 3708 2132 GUP.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1192 created 3236	1192	Presentation info.exe	Explorer.EXE

pid	process
2132	GUP.exe

pid	process
2132	GUP.exe
3000	explorer.exe
3000	explorer.exe

description	pid	process	target process
PID 2132 set thread context of 3708	2132	GUP.exe	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4808 timeout.exe

pid	process
4808	timeout.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Presentation info.exeGUP.execmd.exeexplorer.exe

pid	process
1192	Presentation info.exe
1192	Presentation info.exe
2132	GUP.exe
3708	cmd.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

GUP.execmd.exe

pid process

2132 GUP.exe
3708 cmd.exe

pid	process
2132	GUP.exe
3708	cmd.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Presentation info.exeGUP.execmd.exeexplorer.execmd.exe

description	pid	process	target process
PID 1192 wrote to memory of 2132	1192	Presentation info.exe	GUP.exe
PID 1192 wrote to memory of 2132	1192	Presentation info.exe	GUP.exe
PID 2132 wrote to memory of 3708	2132	GUP.exe	cmd.exe
PID 2132 wrote to memory of 3708	2132	GUP.exe	cmd.exe
PID 2132 wrote to memory of 3708	2132	GUP.exe	cmd.exe
PID 2132 wrote to memory of 3708	2132	GUP.exe	cmd.exe
PID 3708 wrote to memory of 3000	3708	cmd.exe	explorer.exe
PID 3708 wrote to memory of 3000	3708	cmd.exe	explorer.exe
PID 3708 wrote to memory of 3000	3708	cmd.exe	explorer.exe
PID 3708 wrote to memory of 3000	3708	cmd.exe	explorer.exe
PID 3000 wrote to memory of 4492	3000	explorer.exe	cmd.exe
PID 3000 wrote to memory of 4492	3000	explorer.exe	cmd.exe
PID 3000 wrote to memory of 4492	3000	explorer.exe	cmd.exe
PID 4492 wrote to memory of 4808	4492	cmd.exe	timeout.exe
PID 4492 wrote to memory of 4808	4492	cmd.exe	timeout.exe
PID 4492 wrote to memory of 4808	4492	cmd.exe	timeout.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\Presentation info\Presentation info.exe
"C:\Users\Admin\AppData\Local\Temp\Presentation info\Presentation info.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Roaming\propsys\GUP.exe
"C:\Users\Admin\AppData\Roaming\propsys\GUP.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\SysWOW64\explorer.exe" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
6⤵
- Delays execution with timeout.exe
PID:4808

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\20110b16
Filesize
789KB

MD5
bc76be427dd97901bc011518f49c97a7

SHA1
2e6024cfc516ceed8f555582972b61fdedea09e6

SHA256
6204eaddd1ff563fc5447e5623f40cca4ce4fee7c5634a7de14d087ffb0c6902

SHA512
7553a661482fdd62b07813ae214a73d1a309ee618d4eb9faf856c7d04858d535582eabb27d11f6c7ab77c7996e9dcc7b727ab62b1613ed4091c8a90eecbb2e2d

Download Submit
C:\Users\Admin\AppData\Roaming\propsys\GUP.exe
Filesize
954KB

MD5
4620f1ba5072f37bdedf2650c654595d

SHA1
7f9079445da0b254457917c97945216eab3536ca

SHA256
ff14c25bf61e359668e0eeadb48345737caebf658f04e5b7ab4d4f465d0fd01c

SHA512
842a1935e95be85365b24a560c02b6bb9ec424a89c5e4240c28e2c63864da814dd862c5ed32847c5277570bed2cc1f90e94fe23fb5cd9950dbea4de18584313a

Download Submit
C:\Users\Admin\AppData\Roaming\propsys\GUP.exe
Filesize
954KB

MD5
4620f1ba5072f37bdedf2650c654595d

SHA1
7f9079445da0b254457917c97945216eab3536ca

SHA256
ff14c25bf61e359668e0eeadb48345737caebf658f04e5b7ab4d4f465d0fd01c

SHA512
842a1935e95be85365b24a560c02b6bb9ec424a89c5e4240c28e2c63864da814dd862c5ed32847c5277570bed2cc1f90e94fe23fb5cd9950dbea4de18584313a

Download Submit
C:\Users\Admin\AppData\Roaming\propsys\balletomania.dat
Filesize
651KB

MD5
2912f77ed01ce8120a5f2f58c4004461

SHA1
1e1d45e926ca935cc813cdcd44028c6acd410568

SHA256
737e82e773583bc00fc6407d47abc670b319d3a30dad26465b3276d39bed8369

SHA512
426023375d76d507c588cef631c4aca1e86ca56109b36eb3c1a71d21180c0d2c0e6ca36b07e7faa099d998dbfa14651de4e5e51107d96632b1505bb8369c3058

Download Submit
C:\Users\Admin\AppData\Roaming\propsys\libcurl.dll
Filesize
666KB

MD5
a7d4413b2f10c6e6b1663818547e89d1

SHA1
16ac5f275430722bbb0f208782202b55646451ca

SHA256
632855381a9e80f6f48bea4011f01f2dfa7a42141fe6eeacc58a27947efee196

SHA512
a8588dbf67f36b994ae2deb535d27e28d9f747fc1ba4a4303859feb528bedb563775a119f542ce5db1502791fd138eb008b55de29de272a5ca5963ccbe63e5f7

Download Submit
C:\Users\Admin\AppData\Roaming\propsys\libcurl.dll
Filesize
666KB

MD5
a7d4413b2f10c6e6b1663818547e89d1

SHA1
16ac5f275430722bbb0f208782202b55646451ca

SHA256
632855381a9e80f6f48bea4011f01f2dfa7a42141fe6eeacc58a27947efee196

SHA512
a8588dbf67f36b994ae2deb535d27e28d9f747fc1ba4a4303859feb528bedb563775a119f542ce5db1502791fd138eb008b55de29de272a5ca5963ccbe63e5f7

Download Submit
memory/1192-1-0x00007FF800460000-0x00007FF80078D000-memory.dmp

Filesize
3.2MB

Download
memory/1192-7-0x0000000000400000-0x0000000000634000-memory.dmp

Filesize
2.2MB

Download
memory/2132-12-0x00007FFFF2020000-0x00007FFFF3697000-memory.dmp

Filesize
22.5MB

Download
memory/3000-25-0x00000000003D0000-0x0000000000442000-memory.dmp

Filesize
456KB

Download
memory/3000-22-0x00000000003D0000-0x0000000000442000-memory.dmp

Filesize
456KB

Download
memory/3000-23-0x00007FF8114D0000-0x00007FF8116C5000-memory.dmp

Filesize
2.0MB

Download
memory/3000-27-0x0000000000B90000-0x0000000000FC3000-memory.dmp

Filesize
4.2MB

Download
memory/3000-28-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3000-70-0x00000000003D0000-0x0000000000442000-memory.dmp

Filesize
456KB

Download
memory/3708-21-0x0000000073F80000-0x00000000751D4000-memory.dmp

Filesize
18.3MB

Download
memory/3708-19-0x0000000073F80000-0x00000000751D4000-memory.dmp

Filesize
18.3MB

Download
memory/3708-18-0x0000000073F80000-0x00000000751D4000-memory.dmp

Filesize
18.3MB

Download
memory/3708-15-0x00007FF8114D0000-0x00007FF8116C5000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads