vidar | 96bced42def7b8d8a6e836ea2d7d0aaae76ee5558c165a88cee70af8639be642

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Full_Activate_Setup.exe
Size

7.3MB
MD5

49b6bce6cd0111433969c39a62635f91
SHA1

0e34b4e770cc7d018b955bc14dabb205321e872c
SHA256

29345d9c6ff0106c9032b15e2c88f17bc8972ed843d1b5c044cf17d00f1d45c5
SHA512

4737663a5a6b30779650dcaa461b7751bfb735d2c906d04d877604db5a270f68205e0ff1240f2509f2835d885708b849759b10d22deff3bf0f03579bd1402ff8
SSDEEP

49152:/Ph7SQtfhuOhfEPOBjP9P6SOgjha5VKnRt3RQ9Wpvgt4sbVpEmVT1oG3vTROBYxI:ntBbz3q9QluER

Score

10^/10

vidar b86ed69267e5641d44dafebd064d1e80 stealer

Malware Config

Extracted

Family

vidar

Version

7.8

Botnet

b86ed69267e5641d44dafebd064d1e80

https://65.109.242.97

https://t.me/karl3on

https://steamcommunity.com/profiles/76561199637071579

Attributes

profile_id_v2
b86ed69267e5641d44dafebd064d1e80
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Signatures

Detect Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral1/memory/312-21-0x0000000000420000-0x0000000000B68000-memory.dmp	family_vidar_v7
behavioral1/memory/312-32-0x0000000000420000-0x0000000000B68000-memory.dmp	family_vidar_v7
behavioral1/memory/312-62-0x0000000000420000-0x0000000000B68000-memory.dmp	family_vidar_v7
behavioral1/memory/1412-63-0x0000000140000000-0x00000001405E8000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 968	2148	Full_Activate_Setup.exe	28

Loads dropped DLL 7 IoCs

pid	Process
968	cmd.exe
312	gsd.exe
1904	WerFault.exe
1904	WerFault.exe
1904	WerFault.exe
1904	WerFault.exe
1904	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1904	312	WerFault.exe	32

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2148	Full_Activate_Setup.exe
2148	Full_Activate_Setup.exe
968	cmd.exe
968	cmd.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1412	taskmgr.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2148	Full_Activate_Setup.exe
968	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	taskmgr.exe
Token: SeShutdownPrivilege	1480	LogonUI.exe
Token: SeShutdownPrivilege	1480	LogonUI.exe
Token: SeSecurityPrivilege	3024	winlogon.exe
Token: SeBackupPrivilege	3024	winlogon.exe
Token: SeSecurityPrivilege	3024	winlogon.exe
Token: SeTcbPrivilege	3024	winlogon.exe
Token: SeShutdownPrivilege	1480	LogonUI.exe
Token: SeSecurityPrivilege	3024	winlogon.exe
Token: SeBackupPrivilege	3024	winlogon.exe
Token: SeSecurityPrivilege	3024	winlogon.exe
Token: SeShutdownPrivilege	1480	LogonUI.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 968	2148	Full_Activate_Setup.exe	28
PID 2148 wrote to memory of 968	2148	Full_Activate_Setup.exe	28
PID 2148 wrote to memory of 968	2148	Full_Activate_Setup.exe	28
PID 2148 wrote to memory of 968	2148	Full_Activate_Setup.exe	28
PID 2148 wrote to memory of 968	2148	Full_Activate_Setup.exe	28
PID 968 wrote to memory of 312	968	cmd.exe	32
PID 968 wrote to memory of 312	968	cmd.exe	32
PID 968 wrote to memory of 312	968	cmd.exe	32
PID 968 wrote to memory of 312	968	cmd.exe	32
PID 968 wrote to memory of 312	968	cmd.exe	32
PID 312 wrote to memory of 1904	312	gsd.exe	37
PID 312 wrote to memory of 1904	312	gsd.exe	37
PID 312 wrote to memory of 1904	312	gsd.exe	37
PID 312 wrote to memory of 1904	312	gsd.exe	37
PID 968 wrote to memory of 312	968	cmd.exe	32
PID 844 wrote to memory of 1480	844	csrss.exe	45
PID 844 wrote to memory of 1480	844	csrss.exe	45
PID 3024 wrote to memory of 1480	3024	winlogon.exe	45
PID 3024 wrote to memory of 1480	3024	winlogon.exe	45
PID 3024 wrote to memory of 1480	3024	winlogon.exe	45
PID 844 wrote to memory of 1480	844	csrss.exe	45
PID 844 wrote to memory of 1480	844	csrss.exe	45
PID 844 wrote to memory of 1480	844	csrss.exe	45
PID 844 wrote to memory of 1480	844	csrss.exe	45
PID 844 wrote to memory of 1480	844	csrss.exe	45
PID 844 wrote to memory of 1480	844	csrss.exe	45
PID 844 wrote to memory of 1480	844	csrss.exe	45
PID 844 wrote to memory of 1480	844	csrss.exe	45
PID 844 wrote to memory of 1480	844	csrss.exe	45

C:\Users\Admin\AppData\Local\Temp\Full_Activate_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Full_Activate_Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Users\Admin\AppData\Local\Temp\gsd.exe
    C:\Users\Admin\AppData\Local\Temp\gsd.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 1400
      4⤵
      Loads dropped DLL
      Program crash
      PID:1904

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2632

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1412

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1120

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9b1a9f96

Filesize
5.9MB

MD5
38d3c30a63dc3499db23bd8884dc44a1

SHA1
171b77a74eb04380747a754ed108711e474dfda1

SHA256
4e0b1fff08b71605adc44693c0d2d7ffe74fb9578769e56a5a5a0c2b5527f308

SHA512
8adc478992ba76eba1f576053e0aafaee3a5ddd0f9af98fc4e2d7825c0fa2d898c109ab67a4fcacc1becde31bdec98ade1739af021bf2795d2aa80d50910b785

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC23E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
\Users\Admin\AppData\Local\Temp\gsd.exe

Filesize
82KB

MD5
9e368252cee939f6a19df11945968a54

SHA1
633407597d5ef809dacfcc176b5bdebe4b3e92d8

SHA256
dc1175b2170d87f53512761950ac3fbfd13afabade3ed4ae18627c4625a58dfd

SHA512
7b6a03bec0f8c17c030621b5da8e39b0662ecad6e41f44d8085d6d8d0cae62452ed1dafac9f678b9355f804997b7feb9c7ebd981172b45144b76c98e3d30fe61

Download Submit
memory/312-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/312-32-0x0000000000420000-0x0000000000B68000-memory.dmp

Filesize
7.3MB

Download
memory/312-62-0x0000000000420000-0x0000000000B68000-memory.dmp

Filesize
7.3MB

Download
memory/312-21-0x0000000000420000-0x0000000000B68000-memory.dmp

Filesize
7.3MB

Download
memory/312-20-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/968-18-0x0000000074C80000-0x0000000074DF4000-memory.dmp

Filesize
1.5MB

Download
memory/968-15-0x0000000074C80000-0x0000000074DF4000-memory.dmp

Filesize
1.5MB

Download
memory/968-12-0x0000000074C80000-0x0000000074DF4000-memory.dmp

Filesize
1.5MB

Download
memory/968-9-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/1412-63-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1412-64-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1412-65-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2148-5-0x000007FEF60D0000-0x000007FEF6228000-memory.dmp

Filesize
1.3MB

Download
memory/2148-0-0x000007FEF60D0000-0x000007FEF6228000-memory.dmp

Filesize
1.3MB

Download
memory/2148-7-0x0000000000400000-0x0000000000B62000-memory.dmp

Filesize
7.4MB

Download
memory/2148-4-0x000007FEF60D0000-0x000007FEF6228000-memory.dmp

Filesize
1.3MB

Download