vidar | 6b441ae34112ccf492bc9b7cd467ef3dcf4dcb0ce0a25fb87836807da4991612

General

Target

b17ca9b32513aec9742a7e38c9fc0716.exe
Size

702KB
MD5

b17ca9b32513aec9742a7e38c9fc0716
SHA1

368897b3e55e2fc0f484f90bcf839aed27f49417
SHA256

6b441ae34112ccf492bc9b7cd467ef3dcf4dcb0ce0a25fb87836807da4991612
SHA512

e5c8d5935ee36276c63204284facc31b77c70bf97b24d2090b4b4fe4f53d9cd10db59859b80d6b677490f1fb506c40bec20349397ed75fe67472ffbfde1ae012
SSDEEP

12288:9BOoxOZuX86JY1oowOZ6XxAiVrjJgostVddbJ+slh5N3pdxNLUf5kEmVwqfbfT:90os8XfeXv6T7YHXbJ+w57dxuf5kEmVt

Score

10^/10

vidar 921 stealer

Malware Config

Extracted

Family

vidar

Version

39.8

Botnet

921

C2

https://xeronxikxxx.tumblr.com/

Attributes

profile_id
921

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1216-4-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral1/memory/1216-6-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral1/memory/1216-8-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral1/memory/1216-66-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar

Suspicious use of SetThreadContext 1 IoCs

Processes:

b17ca9b32513aec9742a7e38c9fc0716.exe

description pid process target process

PID 1720 set thread context of 1216 1720 b17ca9b32513aec9742a7e38c9fc0716.exe b17ca9b32513aec9742a7e38c9fc0716.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1880 1216 WerFault.exe b17ca9b32513aec9742a7e38c9fc0716.exe

description	pid	process	target process
PID 1720 set thread context of 1216	1720	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe

pid	pid_target	process	target process
1880	1216	WerFault.exe	b17ca9b32513aec9742a7e38c9fc0716.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

b17ca9b32513aec9742a7e38c9fc0716.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	b17ca9b32513aec9742a7e38c9fc0716.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	b17ca9b32513aec9742a7e38c9fc0716.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	b17ca9b32513aec9742a7e38c9fc0716.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b17ca9b32513aec9742a7e38c9fc0716.exe

description pid process

Token: SeDebugPrivilege 1720 b17ca9b32513aec9742a7e38c9fc0716.exe

description	pid	process
Token: SeDebugPrivilege	1720	b17ca9b32513aec9742a7e38c9fc0716.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

b17ca9b32513aec9742a7e38c9fc0716.exeb17ca9b32513aec9742a7e38c9fc0716.exe

C:\Users\Admin\AppData\Local\Temp\b17ca9b32513aec9742a7e38c9fc0716.exe
"C:\Users\Admin\AppData\Local\Temp\b17ca9b32513aec9742a7e38c9fc0716.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\b17ca9b32513aec9742a7e38c9fc0716.exe
C:\Users\Admin\AppData\Local\Temp\b17ca9b32513aec9742a7e38c9fc0716.exe
2⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\b17ca9b32513aec9742a7e38c9fc0716.exe
C:\Users\Admin\AppData\Local\Temp\b17ca9b32513aec9742a7e38c9fc0716.exe
2⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 856
3⤵
- Program crash
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5E6C.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
memory/1216-4-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1216-6-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1216-8-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1216-66-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1720-0-0x0000000000270000-0x0000000000322000-memory.dmp

Filesize
712KB

Download
memory/1720-1-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-2-0x0000000004050000-0x0000000004090000-memory.dmp

Filesize
256KB

Download
memory/1720-3-0x0000000000560000-0x0000000000586000-memory.dmp

Filesize
152KB

Download
memory/1720-7-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 1720 wrote to memory of 3000	1720	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 1720 wrote to memory of 3000	1720	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 1720 wrote to memory of 3000	1720	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 1720 wrote to memory of 3000	1720	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 1720 wrote to memory of 1216	1720	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 1720 wrote to memory of 1216	1720	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 1720 wrote to memory of 1216	1720	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 1720 wrote to memory of 1216	1720	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 1720 wrote to memory of 1216	1720	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 1720 wrote to memory of 1216	1720	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 1720 wrote to memory of 1216	1720	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 1720 wrote to memory of 1216	1720	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 1720 wrote to memory of 1216	1720	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 1216 wrote to memory of 1880	1216	b17ca9b32513aec9742a7e38c9fc0716.exe	WerFault.exe
PID 1216 wrote to memory of 1880	1216	b17ca9b32513aec9742a7e38c9fc0716.exe	WerFault.exe
PID 1216 wrote to memory of 1880	1216	b17ca9b32513aec9742a7e38c9fc0716.exe	WerFault.exe
PID 1216 wrote to memory of 1880	1216	b17ca9b32513aec9742a7e38c9fc0716.exe	WerFault.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads