vidar | 5711ef9313874698d0bb4677867e859b26aa677187ac8b9ade6d6eab0b9c41cc

General

Target

Lauucher-PC_S0FTv2O24.rar
Size

123.0MB
MD5

39e94cad4d3077f77b14d1d530e32092
SHA1

891789c0cf9ffcb73928ead05e0e92fb227c8c1b
SHA256

5711ef9313874698d0bb4677867e859b26aa677187ac8b9ade6d6eab0b9c41cc
SHA512

81f5cd05f77a77527f3f389610ab307302ebb9a5add5dc46200d2b5c0710224c6c4e50c7e0f41310e66a45a7b1ed1590359f5ce51119efcaa66d5e8d0b2e8277
SSDEEP

3145728:PmlOX0ssOx11RNr/X6jGgBbXqGWodzbE3QjxKVQxQq:PmTe1RNQGgwGzb1xKyv

Score

10^/10

vidar 97b92d10859a319d8736cd53ff3f8868 stealer

Malware Config

Extracted

Family

vidar

Version

7.8

Botnet

97b92d10859a319d8736cd53ff3f8868

C2

http://5.252.118.12:80

https://t.me/voolkisms

https://t.me/karl3on

https://steamcommunity.com/profiles/76561199637071579

Attributes

profile_id_v2
97b92d10859a319d8736cd53ff3f8868
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Signatures

Detect Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/4948-8-0x0000000001150000-0x0000000001B7D000-memory.dmp	family_vidar_v7
behavioral1/memory/4948-14-0x0000000001150000-0x0000000001B7D000-memory.dmp	family_vidar_v7
behavioral1/memory/4948-21-0x0000000001150000-0x0000000001B7D000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Executes dropped EXE 1 IoCs

Processes:

Set_UP-Launcher_instaIIR.exe

pid process

4948 Set_UP-Launcher_instaIIR.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5036 4948 WerFault.exe Set_UP-Launcher_instaIIR.exe

pid	process
4948	Set_UP-Launcher_instaIIR.exe

pid	pid_target	process	target process
5036	4948	WerFault.exe	Set_UP-Launcher_instaIIR.exe

Modifies registry class 2 IoCs

Processes:

cmd.exe7zFM.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4668 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Set_UP-Launcher_instaIIR.exe7zFM.exe

pid process

4948 Set_UP-Launcher_instaIIR.exe
4948 Set_UP-Launcher_instaIIR.exe
3116 7zFM.exe
3116 7zFM.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

3116 7zFM.exe

pid	process
4668	NOTEPAD.EXE

pid	process
4948	Set_UP-Launcher_instaIIR.exe
4948	Set_UP-Launcher_instaIIR.exe
3116	7zFM.exe
3116	7zFM.exe

pid	process
3116	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zFM.exe

description	pid	process
Token: SeRestorePrivilege	3116	7zFM.exe
Token: 35	3116	7zFM.exe
Token: SeSecurityPrivilege	3116	7zFM.exe
Token: SeSecurityPrivilege	3116	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exe

pid process

3116 7zFM.exe
3116 7zFM.exe
3116 7zFM.exe

pid	process
3116	7zFM.exe
3116	7zFM.exe
3116	7zFM.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exe7zFM.exe

description	pid	process	target process
PID 220 wrote to memory of 3116	220	cmd.exe	7zFM.exe
PID 220 wrote to memory of 3116	220	cmd.exe	7zFM.exe
PID 3116 wrote to memory of 4948	3116	7zFM.exe	Set_UP-Launcher_instaIIR.exe
PID 3116 wrote to memory of 4948	3116	7zFM.exe	Set_UP-Launcher_instaIIR.exe
PID 3116 wrote to memory of 4948	3116	7zFM.exe	Set_UP-Launcher_instaIIR.exe
PID 3116 wrote to memory of 4668	3116	7zFM.exe	NOTEPAD.EXE
PID 3116 wrote to memory of 4668	3116	7zFM.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Lauucher-PC_S0FTv2O24.rar
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:220

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Lauucher-PC_S0FTv2O24.rar"
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\7zOC2C6DBF7\Set_UP-Launcher_instaIIR.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC2C6DBF7\Set_UP-Launcher_instaIIR.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1292
4⤵
- Program crash
PID:5036

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC2CBDA97\LICENSE.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:4668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC2C6DBF7\Set_UP-Launcher_instaIIR.exe
Filesize
3.8MB

MD5
705562c629cb78a36cafc44b2cc9665c

SHA1
2a28af4c60b9d6f67519a659c382df75239740cc

SHA256
1c3fb0eb66cf8fb8320d3c26954c908021bedf9c5a70f5ca667ca99b95c89cda

SHA512
438c0d29fb8e8a1d5f54aac5c4ec5aebc035131e3f8f03054ba3d1282ea94cdfeef1da926dd06cbd9ae395001fee1e657ee0d28823dfef5f354c5db03bff2c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC2C6DBF7\Set_UP-Launcher_instaIIR.exe
Filesize
3.4MB

MD5
604af98cf103161d45883eb66578735d

SHA1
6bd5d1b6a2caed7364af3561f6a15c1be9c510be

SHA256
8af18eaaff5bd869563480cbd138d0d79c1f05f17938f2c910d686067d52cd85

SHA512
cd087c57355a4bf6493f661644bdb1f9f752d28068c9de6391b2618b622aed7f2d2c7ca640598b421e75d831f537419ad9b4c9b06f00532ccfdf75ab257f2ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC2CBDA97\LICENSE.txt
Filesize
1KB

MD5
fd49e3012dc4f39b9ace8c401b15ac83

SHA1
348b60e161e5db1679efe06318b9fd2d348b31f6

SHA256
af93045c0953d23b372932c94a2c3c43edf6183a86273947b07b9a268a51c160

SHA512
621d6770fa28401bd7a18c9d8a9a0cf67093b96dda593742098afe10ffcc553a7b1e36ae090b53d21cf1effeb9ff5f2a72b169580fca3125e4ddd802b43b8a81

Download Submit
memory/4948-10-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/4948-9-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/4948-8-0x0000000001150000-0x0000000001B7D000-memory.dmp

Filesize
10.2MB

Download
memory/4948-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4948-13-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4948-12-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/4948-14-0x0000000001150000-0x0000000001B7D000-memory.dmp

Filesize
10.2MB

Download
memory/4948-11-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/4948-6-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4948-21-0x0000000001150000-0x0000000001B7D000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads