vidar | f1932238ebf61f3f07165cb78f22a83432b40cc0da4f1d88a0cdb51089ecdf29

General

Target

f1ac61c5cccc6e76dd193867004e2c13.exe
Size

919KB
MD5

f1ac61c5cccc6e76dd193867004e2c13
SHA1

c64243d7b3c61b0a554d47b6d33182fa3b591ee9
SHA256

f1932238ebf61f3f07165cb78f22a83432b40cc0da4f1d88a0cdb51089ecdf29
SHA512

fc129489620db6c77f835c240c1093ba58c5f0110114db3066b5f0c25a3b00e0505b8822251960abd63c7690a276b917218bd3f4e5d445ed773886fd6bdd46b8
SSDEEP

24576:5fFokLbbpT5fA7hwAPAARV91Qb3inEc/Swt:9SkbpT5uhnYo9ybSGi

Score

10^/10

vidar 921 stealer

Malware Config

Extracted

Family

vidar

Version

41.2

Botnet

921

C2

https://mas.to/@serg4325

Attributes

profile_id
921

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1812-4-0x000000001C130000-0x000000001C20C000-memory.dmp	family_vidar
C:\ProgramData\build.exe	family_vidar
C:\ProgramData\build.exe	family_vidar
\ProgramData\build.exe	family_vidar

Executes dropped EXE 1 IoCs

Processes:

build.exe

pid process

2116 build.exe
Loads dropped DLL 4 IoCs

Processes:

WerFault.exe

pid process

2952 WerFault.exe
2952 WerFault.exe
2952 WerFault.exe
2952 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2952 2116 WerFault.exe build.exe

pid	process
2116	build.exe

pid	process
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe

pid	pid_target	process	target process
2952	2116	WerFault.exe	build.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	build.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f1ac61c5cccc6e76dd193867004e2c13.exebuild.exe

description	pid	process	target process
PID 1812 wrote to memory of 2116	1812	f1ac61c5cccc6e76dd193867004e2c13.exe	build.exe
PID 1812 wrote to memory of 2116	1812	f1ac61c5cccc6e76dd193867004e2c13.exe	build.exe
PID 1812 wrote to memory of 2116	1812	f1ac61c5cccc6e76dd193867004e2c13.exe	build.exe
PID 1812 wrote to memory of 2116	1812	f1ac61c5cccc6e76dd193867004e2c13.exe	build.exe
PID 2116 wrote to memory of 2952	2116	build.exe	WerFault.exe
PID 2116 wrote to memory of 2952	2116	build.exe	WerFault.exe
PID 2116 wrote to memory of 2952	2116	build.exe	WerFault.exe
PID 2116 wrote to memory of 2952	2116	build.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f1ac61c5cccc6e76dd193867004e2c13.exe
"C:\Users\Admin\AppData\Local\Temp\f1ac61c5cccc6e76dd193867004e2c13.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\ProgramData\build.exe
"C:\ProgramData\build.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1276
3⤵
- Loads dropped DLL
- Program crash
PID:2952

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\build.exe
Filesize
78KB

MD5
42981b5f6bae76f2e1805999bcf186ba

SHA1
a38f05b63decb4cbafd03d5874925e4f6fb91643

SHA256
90e7cac7d2b415a82aaf1a902544b85984eea0d83d47e57ce204823439ba6f2f

SHA512
f89f490c695ce20f5061181c13fc94b9deb242cfea7187bc32a4c1b0acee1dc48e647864deb45cbb274d8bbca640b5781bbe8cd23e1212aac7c507b1014a17f4

Download Submit
C:\ProgramData\build.exe
Filesize
8KB

MD5
a96eb7bcca008371d38106b95d8a788c

SHA1
d4613b388c4f8e93f4c4b0b636da93f4877c71df

SHA256
c28d429bfcd6d6420a84c43da6a380b50baf58c20a096a2c20f68899d5a1cdd1

SHA512
1f7b0d2247a30a0de026bed8e4e8eed071e2965d62cc0a7f18107da4960a98725bcfbce1f8ac92e3f474e58a6d66901694141cb8a20077e9a847e97c5d2615d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7DE9.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7E3A.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\ProgramData\build.exe
Filesize
848KB

MD5
4c226f20e759164ee855dba5ecef2b5c

SHA1
7c6cf378470940509c4efd48be393f892be8aba7

SHA256
983dbf6bf813ae7444e55010427ea0ed3a3dc24dac96405c26dd6c78e95c844f

SHA512
8a5895413b36ad3ed9e1ebcbf72163dda3f5a926226752a493ca76204cbefb9d7718858306bd20532bafc0271f6109fcde681070da49264c839f74b539e1c16d

Download Submit
memory/1812-0-0x000000013F6C0000-0x000000013F7AA000-memory.dmp

Filesize
936KB

Download
memory/1812-1-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/1812-2-0x000000001C050000-0x000000001C12C000-memory.dmp

Filesize
880KB

Download
memory/1812-3-0x000000001B150000-0x000000001B1D0000-memory.dmp

Filesize
512KB

Download
memory/1812-4-0x000000001C130000-0x000000001C20C000-memory.dmp

Filesize
880KB

Download
memory/1812-13-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads