vidar | 4227ee74e68b799efeb3613493f4814a81e16fec32c88bcc3fdcc7eae35b60bc

General

Target

f1e89356f7a21887e4b5db1160717abf.exe
Size

581KB
MD5

f1e89356f7a21887e4b5db1160717abf
SHA1

ff7409ec73309460650dccc2e44efb8595c246d7
SHA256

4227ee74e68b799efeb3613493f4814a81e16fec32c88bcc3fdcc7eae35b60bc
SHA512

891734162b8f4b5c1d9cc08cc9c8140edbdf8af2ca4b0819a860cc1c1887d041e25db1b4282069ebeea6d764846d5d20ba3e836d923b1e3886f468236b244e51
SSDEEP

12288:qxOZuX86JY1oowOZ6XxAiVrjJgostVjXl+2U9rKicYz:qs8XfeXv6T7YH7l+2GrKicYz

Score

10^/10

vidar 921 stealer

Malware Config

Extracted

Family

vidar

Version

39.8

Botnet

921

C2

https://xeronxikxxx.tumblr.com/

Attributes

profile_id
921

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2204-8-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral1/memory/2204-7-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral1/memory/2204-4-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral1/memory/2204-67-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar

Suspicious use of SetThreadContext 1 IoCs

Processes:

f1e89356f7a21887e4b5db1160717abf.exe

description pid process target process

PID 2188 set thread context of 2204 2188 f1e89356f7a21887e4b5db1160717abf.exe f1e89356f7a21887e4b5db1160717abf.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1892 2204 WerFault.exe f1e89356f7a21887e4b5db1160717abf.exe

description	pid	process	target process
PID 2188 set thread context of 2204	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe

pid	pid_target	process	target process
1892	2204	WerFault.exe	f1e89356f7a21887e4b5db1160717abf.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

f1e89356f7a21887e4b5db1160717abf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	f1e89356f7a21887e4b5db1160717abf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f1e89356f7a21887e4b5db1160717abf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f1e89356f7a21887e4b5db1160717abf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f1e89356f7a21887e4b5db1160717abf.exe

description pid process

Token: SeDebugPrivilege 2188 f1e89356f7a21887e4b5db1160717abf.exe

description	pid	process
Token: SeDebugPrivilege	2188	f1e89356f7a21887e4b5db1160717abf.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

f1e89356f7a21887e4b5db1160717abf.exef1e89356f7a21887e4b5db1160717abf.exe

C:\Users\Admin\AppData\Local\Temp\f1e89356f7a21887e4b5db1160717abf.exe
"C:\Users\Admin\AppData\Local\Temp\f1e89356f7a21887e4b5db1160717abf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\f1e89356f7a21887e4b5db1160717abf.exe
C:\Users\Admin\AppData\Local\Temp\f1e89356f7a21887e4b5db1160717abf.exe
2⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 852
3⤵
- Program crash
PID:1892

C:\Users\Admin\AppData\Local\Temp\f1e89356f7a21887e4b5db1160717abf.exe
C:\Users\Admin\AppData\Local\Temp\f1e89356f7a21887e4b5db1160717abf.exe
2⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\f1e89356f7a21887e4b5db1160717abf.exe
C:\Users\Admin\AppData\Local\Temp\f1e89356f7a21887e4b5db1160717abf.exe
2⤵
PID:2080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6BE2.tmp
Filesize
124KB

MD5
d51fe87ff0d74dd3f09e0e242f87def7

SHA1
27db62395f5695adb0786a850334fbe0a3eafc58

SHA256
92dec60d8a33df7dd93c418f27d1fa6e123710582afbd2bf8f9dc0dfa93471af

SHA512
519e24a94c47c65f0f1b9bdc85eed2c22e206db26a29622a6961e77f4030677cc5f347491371cd1e7eadae333fe8ebe26772cef2939dde4d73cf02c981b034a4

Download Submit
memory/2188-0-0x0000000001070000-0x0000000001104000-memory.dmp

Filesize
592KB

Download
memory/2188-1-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-2-0x0000000000B50000-0x0000000000B90000-memory.dmp

Filesize
256KB

Download
memory/2188-3-0x0000000000460000-0x0000000000480000-memory.dmp

Filesize
128KB

Download
memory/2188-6-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-8-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2204-7-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2204-4-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2204-67-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download

description	pid	process	target process
PID 2188 wrote to memory of 2080	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2080	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2080	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2080	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2172	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2172	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2172	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2172	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2204	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2204	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2204	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2204	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2204	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2204	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2204	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2204	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2188 wrote to memory of 2204	2188	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 2204 wrote to memory of 1892	2204	f1e89356f7a21887e4b5db1160717abf.exe	WerFault.exe
PID 2204 wrote to memory of 1892	2204	f1e89356f7a21887e4b5db1160717abf.exe	WerFault.exe
PID 2204 wrote to memory of 1892	2204	f1e89356f7a21887e4b5db1160717abf.exe	WerFault.exe
PID 2204 wrote to memory of 1892	2204	f1e89356f7a21887e4b5db1160717abf.exe	WerFault.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads