vidar | 4d78e8f9f29a96570957acee0c5504ec9c67b97a04892b72ebb31830155b8a81

General

Target

Installer.exe
Size

4.1MB
MD5

592979cd96d6fd6e8eb5c1052e17da40
SHA1

f8595fe8c43f53fcef96c7d0c7052acd6911c8c6
SHA256

4d78e8f9f29a96570957acee0c5504ec9c67b97a04892b72ebb31830155b8a81
SHA512

8afcdb9b9ccb6ab7472fc8c900234c575e79a00dfdc22ac499badc7e6b415021ba5e95999ad2c3171fa301cfd27d861ad0a2663d9287d0f1be7ed1db6fb2127f
SSDEEP

49152:XShgK5pr1wSKK2wAtpkspdExgeXxqusHK/Bu/j8IUI3F4AyZl0+Y5hVfuM+Bde3D:ChgKE4iwkusL9UsyZnY5hBMe3D

Score

10^/10

vidar 8fc1cae2d848b9f26e1bb4d2655aff86 stealer

Malware Config

Extracted

Family

vidar

Version

7.6

Botnet

8fc1cae2d848b9f26e1bb4d2655aff86

C2

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
8fc1cae2d848b9f26e1bb4d2655aff86

Signatures

Detect Vidar Stealer 7 IoCs

stealer

resource	yara_rule
behavioral1/memory/2580-25-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2580-27-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2580-29-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2580-32-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2580-35-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2580-36-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2580-181-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2032-0-0x00000000002B0000-0x00000000006C0000-memory.dmp	net_reactor

Loads dropped DLL 1 IoCs

pid	Process
2032	Installer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 2580	2032	Installer.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1488	2580	WerFault.exe	28

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2580	2032	Installer.exe	28
PID 2032 wrote to memory of 2580	2032	Installer.exe	28
PID 2032 wrote to memory of 2580	2032	Installer.exe	28
PID 2032 wrote to memory of 2580	2032	Installer.exe	28
PID 2032 wrote to memory of 2580	2032	Installer.exe	28
PID 2032 wrote to memory of 2580	2032	Installer.exe	28
PID 2032 wrote to memory of 2580	2032	Installer.exe	28
PID 2032 wrote to memory of 2580	2032	Installer.exe	28
PID 2032 wrote to memory of 2580	2032	Installer.exe	28
PID 2032 wrote to memory of 2580	2032	Installer.exe	28
PID 2032 wrote to memory of 2580	2032	Installer.exe	28
PID 2580 wrote to memory of 1488	2580	MsBuild.exe	32
PID 2580 wrote to memory of 1488	2580	MsBuild.exe	32
PID 2580 wrote to memory of 1488	2580	MsBuild.exe	32
PID 2580 wrote to memory of 1488	2580	MsBuild.exe	32

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1396
    3⤵
    - Program crash
    PID:1488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3c63d67fc975940fdf21c6c3af86643

SHA1
bee4fe9947d19d910d08639f56e08695854c0ee4

SHA256
0daf4293a0bb3d10d0bd69e81deb21ab5f857f68593ee78870a3267263353487

SHA512
ae77bcc1e4d7a4e12b7fc930e88605fcdb3a02ca6128fe8fc92302033e85af4e107a7b7c84063e79ed36809b84747b04ea565b828ace86f62eaf3573036c1294

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
753a471f06aeaf23c70ed9e2035c5e77

SHA1
9b18eee6371bdaadf159446420a350ec86d1815d

SHA256
d35e4e9e3bb2a2b3d2a14611dc4b9f562124d4472bc00d2d690a916400a68019

SHA512
ead850a5acd931d2b85e854f2fdba9393ea52f6344fa5fb8ef005b71fc74c6147d82c222adc14bad53f01e614a43e9d7ee69e6c6ec40cead7d1d1a26fd522617

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8D18.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/2032-34-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2032-16-0x0000000005A40000-0x0000000005B40000-memory.dmp

Filesize
1024KB

Download
memory/2032-10-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/2032-9-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/2032-14-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/2032-13-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/2032-15-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/2032-1-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2032-17-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/2032-18-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/2032-0-0x00000000002B0000-0x00000000006C0000-memory.dmp

Filesize
4.1MB

Download
memory/2032-2-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2032-3-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/2032-11-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/2032-4-0x0000000004F30000-0x00000000050C2000-memory.dmp

Filesize
1.6MB

Download
memory/2032-12-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/2580-25-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2580-31-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-32-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2580-35-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2580-36-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2580-29-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2580-27-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2580-23-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2580-21-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2580-19-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2580-181-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing