vidar | 623accd5c6532187ac7f47e352584e3ba28185b46c7018542cc7bf7c8ca551a3

General

Target

623accd5c6532187ac7f47e352584e3ba28185b46c7018542cc7bf7c8ca551a3.exe
Size

283KB
MD5

305a9485c4420304f2d328dee93f4b77
SHA1

6c4cd0ea9f47becd543148fe31cb9373f9e68947
SHA256

623accd5c6532187ac7f47e352584e3ba28185b46c7018542cc7bf7c8ca551a3
SHA512

701879807f9c183d33b351bdd52702b60626c58f3e36b8224cb1603e84bace552eba2afe4e85373fe62677663370b616567df0f11f7565353357b423331d286e
SSDEEP

6144:orNxN4RUUuNrpyrHwJlVOLjf83A57ULZnpZGJsrFZvmyZj0:oBn4i/NrpyrHwJqLjf8XnpZEsrXvmkj

Score

10^/10

vidar b2ced91faf30889899f34458f95b8e93 discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

5.4

Botnet

b2ced91faf30889899f34458f95b8e93

C2

https://t.me/vogogor

https://steamcommunity.com/profiles/76561199545993403

Attributes

profile_id_v2
b2ced91faf30889899f34458f95b8e93
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.2.13 (KHTML, like Gecko) Version/16.5.2 Safari/605.2.13

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1444	7980523493.exe

Loads dropped DLL 2 IoCs

pid	Process
1444	7980523493.exe
1444	7980523493.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7980523493.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7980523493.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4744	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2272	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1444	7980523493.exe
1444	7980523493.exe
1444	7980523493.exe
1444	7980523493.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4368	4880	623accd5c6532187ac7f47e352584e3ba28185b46c7018542cc7bf7c8ca551a3.exe	69
PID 4880 wrote to memory of 4368	4880	623accd5c6532187ac7f47e352584e3ba28185b46c7018542cc7bf7c8ca551a3.exe	69
PID 4880 wrote to memory of 4368	4880	623accd5c6532187ac7f47e352584e3ba28185b46c7018542cc7bf7c8ca551a3.exe	69
PID 4368 wrote to memory of 1444	4368	cmd.exe	71
PID 4368 wrote to memory of 1444	4368	cmd.exe	71
PID 4368 wrote to memory of 1444	4368	cmd.exe	71
PID 4880 wrote to memory of 2216	4880	623accd5c6532187ac7f47e352584e3ba28185b46c7018542cc7bf7c8ca551a3.exe	72
PID 4880 wrote to memory of 2216	4880	623accd5c6532187ac7f47e352584e3ba28185b46c7018542cc7bf7c8ca551a3.exe	72
PID 4880 wrote to memory of 2216	4880	623accd5c6532187ac7f47e352584e3ba28185b46c7018542cc7bf7c8ca551a3.exe	72
PID 2216 wrote to memory of 2272	2216	cmd.exe	74
PID 2216 wrote to memory of 2272	2216	cmd.exe	74
PID 2216 wrote to memory of 2272	2216	cmd.exe	74
PID 1444 wrote to memory of 3008	1444	7980523493.exe	78
PID 1444 wrote to memory of 3008	1444	7980523493.exe	78
PID 1444 wrote to memory of 3008	1444	7980523493.exe	78
PID 3008 wrote to memory of 4744	3008	cmd.exe	80
PID 3008 wrote to memory of 4744	3008	cmd.exe	80
PID 3008 wrote to memory of 4744	3008	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\623accd5c6532187ac7f47e352584e3ba28185b46c7018542cc7bf7c8ca551a3.exe
"C:\Users\Admin\AppData\Local\Temp\623accd5c6532187ac7f47e352584e3ba28185b46c7018542cc7bf7c8ca551a3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\7980523493.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Users\Admin\AppData\Local\Temp\7980523493.exe
    "C:\Users\Admin\AppData\Local\Temp\7980523493.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7980523493.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:4744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "623accd5c6532187ac7f47e352584e3ba28185b46c7018542cc7bf7c8ca551a3.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\623accd5c6532187ac7f47e352584e3ba28185b46c7018542cc7bf7c8ca551a3.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "623accd5c6532187ac7f47e352584e3ba28185b46c7018542cc7bf7c8ca551a3.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7980523493.exe

Filesize
500KB

MD5
523ad6be6bc5ab3a05ff3727e5cc2d4e

SHA1
0f2747fb399c6ec4890e7ab05d995de6457fca0f

SHA256
15609411e286631dabd4916a34067b3f9a3bbb7b121150ae06d824efbabc2e2f

SHA512
fce703523d38590007b3057dff77aa55989ea1fa1e54fb7683d1c3a9d2612cce2d58fb50f7c5e85c0ce6584f11f84d02f08f8cf7914fd464aca314d674f20062

Download Submit
C:\Users\Admin\AppData\Local\Temp\7980523493.exe

Filesize
500KB

MD5
523ad6be6bc5ab3a05ff3727e5cc2d4e

SHA1
0f2747fb399c6ec4890e7ab05d995de6457fca0f

SHA256
15609411e286631dabd4916a34067b3f9a3bbb7b121150ae06d824efbabc2e2f

SHA512
fce703523d38590007b3057dff77aa55989ea1fa1e54fb7683d1c3a9d2612cce2d58fb50f7c5e85c0ce6584f11f84d02f08f8cf7914fd464aca314d674f20062

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/1444-71-0x0000000002690000-0x00000000026EC000-memory.dmp

Filesize
368KB

Download
memory/1444-69-0x0000000000400000-0x000000000246C000-memory.dmp

Filesize
32.4MB

Download
memory/1444-70-0x0000000004070000-0x00000000040A1000-memory.dmp

Filesize
196KB

Download
memory/1444-15-0x0000000004070000-0x00000000040A1000-memory.dmp

Filesize
196KB

Download
memory/1444-16-0x0000000002690000-0x00000000026EC000-memory.dmp

Filesize
368KB

Download
memory/1444-17-0x0000000000400000-0x000000000246C000-memory.dmp

Filesize
32.4MB

Download
memory/1444-30-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4880-14-0x0000000001410000-0x000000000144E000-memory.dmp

Filesize
248KB

Download
memory/4880-1-0x00000000014D0000-0x00000000015D0000-memory.dmp

Filesize
1024KB

Download
memory/4880-3-0x0000000000400000-0x00000000013AC000-memory.dmp

Filesize
15.7MB

Download
memory/4880-13-0x0000000000400000-0x00000000013AC000-memory.dmp

Filesize
15.7MB

Download
memory/4880-2-0x0000000001410000-0x000000000144E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing