vidar | 29a245f9b70d99e57dd0fda398d88029c4f258d74f805eaf5c1c8e7aba042fdd

General

Target

1nstaIIER-S4t-UP.rar
Size

123.0MB
MD5

68f147e3b4adba7973bc414db731b888
SHA1

29fb5fa1f4170f2dd58e4d28f325fd5ee0e2b270
SHA256

29a245f9b70d99e57dd0fda398d88029c4f258d74f805eaf5c1c8e7aba042fdd
SHA512

bb0eff75daac6c88f708c025b2bebfd00d52d8db3953e73230ee8459f6021d827123c2a7d1d9343501b050bc5716e8ed4069e4555995e7a03ced8ec26efe687c
SSDEEP

3145728:EDPNOdh5gi0uX+gYkDbxUlY5bBEihprWlrzik:EjNwhbxYk3xUwB3YOk

Score

10^/10

vidar 97b92d10859a319d8736cd53ff3f8868 stealer

Malware Config

Extracted

Family

vidar

Version

7.8

Botnet

97b92d10859a319d8736cd53ff3f8868

C2

http://5.252.118.12:80

https://t.me/voolkisms

https://t.me/karl3on

https://steamcommunity.com/profiles/76561199637071579

Attributes

profile_id_v2
97b92d10859a319d8736cd53ff3f8868
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Signatures

Detect Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2700-37-0x0000000000CD0000-0x00000000016FD000-memory.dmp	family_vidar_v7
behavioral1/memory/2700-80-0x0000000000CD0000-0x00000000016FD000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Executes dropped EXE 1 IoCs

Processes:

Setup.exe

pid process

2700 Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

272 2700 WerFault.exe Setup.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Setup.exe

pid process

2700 Setup.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 2688 7zFM.exe
Token: 35 2688 7zFM.exe
Token: SeSecurityPrivilege 2688 7zFM.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

2688 7zFM.exe
2688 7zFM.exe

pid	process
2700	Setup.exe

pid	pid_target	process	target process
272	2700	WerFault.exe	Setup.exe

pid	process
2700	Setup.exe

description	pid	process
Token: SeRestorePrivilege	2688	7zFM.exe
Token: 35	2688	7zFM.exe
Token: SeSecurityPrivilege	2688	7zFM.exe

pid	process
2688	7zFM.exe
2688	7zFM.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cmd.exe7zFM.exe

description	pid	process	target process
PID 2952 wrote to memory of 2688	2952	cmd.exe	7zFM.exe
PID 2952 wrote to memory of 2688	2952	cmd.exe	7zFM.exe
PID 2952 wrote to memory of 2688	2952	cmd.exe	7zFM.exe
PID 2688 wrote to memory of 2700	2688	7zFM.exe	Setup.exe
PID 2688 wrote to memory of 2700	2688	7zFM.exe	Setup.exe
PID 2688 wrote to memory of 2700	2688	7zFM.exe	Setup.exe
PID 2688 wrote to memory of 2700	2688	7zFM.exe	Setup.exe
PID 2688 wrote to memory of 2700	2688	7zFM.exe	Setup.exe
PID 2688 wrote to memory of 2700	2688	7zFM.exe	Setup.exe
PID 2688 wrote to memory of 2700	2688	7zFM.exe	Setup.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\1nstaIIER-S4t-UP.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2952

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\1nstaIIER-S4t-UP.rar"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2688

C:\Users\Admin\AppData\Local\Temp\7zO08A85C66\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08A85C66\Setup.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 944
4⤵
- Program crash
PID:272

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO08A85C66\Setup.exe
Filesize
1.8MB

MD5
5e58228adde356da38756cf8219817b9

SHA1
711597e702a8ef36b6754675f4c0830c1ae5b4d3

SHA256
de851168a66007bab962ef52cc2a49e7cf400dfd0b431451cc05d6666e7eec62

SHA512
ca7a49512fc693bcacb9d11e4006ce5ce156501586b3a4339d084e28ed9c4c66b02c45a592124e0f2c67f996dc031706ab789dbb062792a7e0c0dafb79bd361d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO08A85C66\Setup.exe
Filesize
1024KB

MD5
43c748cb42d40cd22bca54c9c197bc9d

SHA1
cceb409ef59cf1012f76800310d615d3843941f0

SHA256
4ba7d30b3259dee00603cf9adc3aa0d08d5cfe7f90288205782ea665933fb10b

SHA512
b3f752812b6e302f18a3f61548fa1e56b5d6642a00a2d8cfb13b8c38661cc96d48067ae8302559df12fdceb108eb7299896eea039d83c86cad4d448cbab76f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO08A85C66\Setup.exe
Filesize
972KB

MD5
087dc12426dba6e576421b3f1d76a79c

SHA1
6f862a1f6a7a491d8f77115c3a62403bb46dfd0c

SHA256
0c210c247a793587d30c68df3eae8cae3c2c443f9814b640483f6bad87df2ec1

SHA512
f483ad65646ee8ade99b20501460af48b2345bd6fa2a0431750e3e4cc110f27db300a3d8028dad57d3b7046c31c2d3c408345f1f91cb8418f5d9eb0083c760d3

Download Submit
\Users\Admin\AppData\Local\Temp\7zO08A85C66\Setup.exe
Filesize
521KB

MD5
ceb5fd1e5ef5565f12eeea3f11406557

SHA1
783d886ca1c1e8f0869bd60d2c96c03bdae1bff1

SHA256
d6a2f2ce8e52fd8e1b5a0dc450130161f495c7db1caa2fffcea205ecde1da733

SHA512
f9bbe419ecc3721ab6271af9c728d0730374f9a81897f63578a32600f486867f2edb7bf8813184237ce2052923a98a3defbacec3d46d638765169a811a632cbb

Download Submit
\Users\Admin\AppData\Local\Temp\7zO08A85C66\Setup.exe
Filesize
604KB

MD5
333396f0c807b1f4994dbd53214a0e37

SHA1
99b060e41648e7c3673eee4297a22825b756552b

SHA256
4bccffb84f90e8a66deafa2e64d38d90ac6149e3138f22263b1d71eb62f188d9

SHA512
05edcc24a9778f9f68539f4acd9720b930fd52ff1a62f2fc4dc734f148b77e7811deb8b7a0e1b826c231bb98561230cdfcdb3398451170ec09b03baab5a180c4

Download Submit
\Users\Admin\AppData\Local\Temp\7zO08A85C66\Setup.exe
Filesize
461KB

MD5
5ed43622d54b66153b96033c95acfb8e

SHA1
a701af88c81bbb21e957b5122b0ee8c2ed12343c

SHA256
8f472b74028d1e303e1319424d04be263bbeb30d45fc114c9da63ea3b1053dd4

SHA512
669e18f979c5e86ae87cf3e2a8b2b42e1ff8886f9a49a480014e4ab0514bd9e5f90f2ecbea9cf88497fb73eea5de4f94348b76da102692922e282f9bbd08fa43

Download Submit
\Users\Admin\AppData\Local\Temp\7zO08A85C66\Setup.exe
Filesize
596KB

MD5
85f06f71c32462e4fff7868327f2212d

SHA1
1b82029e571f74f80d69b3edd40cb8f91ea6997c

SHA256
f0252a90910755b3f7acc2d9d43916873704b06fe8f8bda4eca88ad278bcad84

SHA512
b8a951844eb84cc6247e3f02464739d63db3fd3049bc6bf60d0b9afd911bf7328811fe3bd3def2726c02318afce05f52397db66668028b6d1d57ee022b6399e9

Download Submit
\Users\Admin\AppData\Local\Temp\7zO08A85C66\Setup.exe
Filesize
250KB

MD5
b84a62c8f7ace46707b2b5d3faff1231

SHA1
b284125357d18ea6919570d29fe2c5bb953e2cb3

SHA256
d044c20ed0230d0d8af8bc404f0fd8fe22c819dc9e155ecf62f03f244fa9a9ea

SHA512
c6b0b3aef5e2462277f83332ee50ca783611e665877d328c91df808c55703ad0bb76112b0ef070d08cd511e87cf9c9f17d59c762e54974586cdfcf3f874b22d2

Download Submit
memory/2700-53-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2700-43-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2700-71-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2700-69-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2700-61-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2700-59-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2700-66-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2700-46-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2700-45-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2700-64-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2700-41-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2700-40-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2700-38-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2700-37-0x0000000000CD0000-0x00000000016FD000-memory.dmp

Filesize
10.2MB

Download
memory/2700-57-0x0000000077640000-0x0000000077641000-memory.dmp

Filesize
4KB

Download
memory/2700-55-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2700-48-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2700-50-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2700-35-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2700-80-0x0000000000CD0000-0x00000000016FD000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing