vidar | 469a4e2de0f45d2543d7e535c54c6d6861e26e7ed26e1fda4ce9e00d03fb0077

General

Target

#DllHijacking #Vidar/Starter.exe
Size

7.3MB
MD5

49b6bce6cd0111433969c39a62635f91
SHA1

0e34b4e770cc7d018b955bc14dabb205321e872c
SHA256

29345d9c6ff0106c9032b15e2c88f17bc8972ed843d1b5c044cf17d00f1d45c5
SHA512

4737663a5a6b30779650dcaa461b7751bfb735d2c906d04d877604db5a270f68205e0ff1240f2509f2835d885708b849759b10d22deff3bf0f03579bd1402ff8
SSDEEP

49152:/Ph7SQtfhuOhfEPOBjP9P6SOgjha5VKnRt3RQ9Wpvgt4sbVpEmVT1oG3vTROBYxI:ntBbz3q9QluER

Score

10^/10

vidar b86ed69267e5641d44dafebd064d1e80 stealer

Malware Config

Extracted

Family

vidar

Version

7.8

Botnet

b86ed69267e5641d44dafebd064d1e80

C2

https://65.109.242.97

https://t.me/karl3on

https://steamcommunity.com/profiles/76561199637071579

Attributes

profile_id_v2
b86ed69267e5641d44dafebd064d1e80
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/2844-21-0x0000000000420000-0x0000000000B68000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-61-0x0000000000420000-0x0000000000B68000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-62-0x0000000000420000-0x0000000000B68000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 2532	2232	Starter.exe	28

Loads dropped DLL 7 IoCs

pid	Process
2532	cmd.exe
2844	gsd.exe
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
552	2844	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2232	Starter.exe
2232	Starter.exe
2532	cmd.exe
2532	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2232	Starter.exe
2532	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2532	2232	Starter.exe	28
PID 2232 wrote to memory of 2532	2232	Starter.exe	28
PID 2232 wrote to memory of 2532	2232	Starter.exe	28
PID 2232 wrote to memory of 2532	2232	Starter.exe	28
PID 2232 wrote to memory of 2532	2232	Starter.exe	28
PID 2532 wrote to memory of 2844	2532	cmd.exe	30
PID 2532 wrote to memory of 2844	2532	cmd.exe	30
PID 2532 wrote to memory of 2844	2532	cmd.exe	30
PID 2532 wrote to memory of 2844	2532	cmd.exe	30
PID 2532 wrote to memory of 2844	2532	cmd.exe	30
PID 2844 wrote to memory of 552	2844	gsd.exe	34
PID 2844 wrote to memory of 552	2844	gsd.exe	34
PID 2844 wrote to memory of 552	2844	gsd.exe	34
PID 2844 wrote to memory of 552	2844	gsd.exe	34
PID 2532 wrote to memory of 2844	2532	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\#DllHijacking #Vidar\Starter.exe
"C:\Users\Admin\AppData\Local\Temp\#DllHijacking #Vidar\Starter.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\gsd.exe
    C:\Users\Admin\AppData\Local\Temp\gsd.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1432
      4⤵
      Loads dropped DLL
      Program crash
      PID:552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\96f21963

Filesize
5.9MB

MD5
61425e461d8bcd8e5edbcc6dc13c73d5

SHA1
6c8cd2d6e0af34c2e49a4efb77aec6840684896f

SHA256
402620b1ebf0ebac17d6d460add502004b6b0f67f27c26d84aad91ccc9f1b565

SHA512
307cd5614e51c6c74cc833a2944a0581e89004a4802a6911cc2cf1ec097037185ba7d1a3970048a6b4c34f8f2280fd146fe395187c3f7c2f087e7242574180e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB2B4.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
\Users\Admin\AppData\Local\Temp\gsd.exe

Filesize
82KB

MD5
9e368252cee939f6a19df11945968a54

SHA1
633407597d5ef809dacfcc176b5bdebe4b3e92d8

SHA256
dc1175b2170d87f53512761950ac3fbfd13afabade3ed4ae18627c4625a58dfd

SHA512
7b6a03bec0f8c17c030621b5da8e39b0662ecad6e41f44d8085d6d8d0cae62452ed1dafac9f678b9355f804997b7feb9c7ebd981172b45144b76c98e3d30fe61

Download Submit
memory/2232-0-0x000007FEF5AE0000-0x000007FEF5C38000-memory.dmp

Filesize
1.3MB

Download
memory/2232-4-0x000007FEF5AE0000-0x000007FEF5C38000-memory.dmp

Filesize
1.3MB

Download
memory/2232-5-0x000007FEF5AE0000-0x000007FEF5C38000-memory.dmp

Filesize
1.3MB

Download
memory/2232-7-0x0000000000400000-0x0000000000B62000-memory.dmp

Filesize
7.4MB

Download
memory/2532-12-0x00000000747B0000-0x0000000074924000-memory.dmp

Filesize
1.5MB

Download
memory/2532-16-0x00000000747B0000-0x0000000074924000-memory.dmp

Filesize
1.5MB

Download
memory/2532-18-0x00000000747B0000-0x0000000074924000-memory.dmp

Filesize
1.5MB

Download
memory/2532-9-0x0000000076F70000-0x0000000077119000-memory.dmp

Filesize
1.7MB

Download
memory/2844-20-0x0000000076F70000-0x0000000077119000-memory.dmp

Filesize
1.7MB

Download
memory/2844-21-0x0000000000420000-0x0000000000B68000-memory.dmp

Filesize
7.3MB

Download
memory/2844-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2844-61-0x0000000000420000-0x0000000000B68000-memory.dmp

Filesize
7.3MB

Download
memory/2844-62-0x0000000000420000-0x0000000000B68000-memory.dmp

Filesize
7.3MB

Download

Analysis

Sharing