vidar | a4b05d52ea75d56b2e6ba0a153eb638290b546a86e5702b6ab1a15243a1e25a7

General

Target

Inchr_StExta_Itst_v.3.1.rar
Size

102.1MB
MD5

b35a8f49f22ba7206fad6526ac34f676
SHA1

6a891561a94655ae415b588104e62e5b0bb4d56f
SHA256

a4b05d52ea75d56b2e6ba0a153eb638290b546a86e5702b6ab1a15243a1e25a7
SHA512

e9713bd82429611fd5799470a5e19defa09d960d336245733f38f08b4dbbbc67b6b7fa4a6a09a8885c0ac3f6605e82675ca8deee2103f85ee0782c44c6daaf0e
SSDEEP

3145728:okTYasCFkAhweVB8SWh/s1ncJVn+t6Y7MREum8ySR1F:zkAhwjSWRCc/+t6EMRMBSR1F

Score

10^/10

vidar cd7c97cce7ba52cbbfd2d03e0a6f87c3 stealer

Malware Config

Extracted

Family

vidar

Version

8.6

Botnet

cd7c97cce7ba52cbbfd2d03e0a6f87c3

C2

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

profile_id_v2
cd7c97cce7ba52cbbfd2d03e0a6f87c3
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/1592-563-0x0000000000E40000-0x0000000001085000-memory.dmp	family_vidar_v7
behavioral1/memory/1592-564-0x0000000000E40000-0x0000000001085000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4908	Set-up.exe

Loads dropped DLL 2 IoCs

pid	Process
4908	Set-up.exe
1592	Aut2exe.au3

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4908 set thread context of 532	4908	Set-up.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2432	1592	WerFault.exe	111

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
840	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4908	Set-up.exe
4908	Set-up.exe
532	ftp.exe
532	ftp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3164	7zFM.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4908	Set-up.exe
532	ftp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3164	7zFM.exe
Token: 35	3164	7zFM.exe
Token: SeSecurityPrivilege	3164	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3164	7zFM.exe
3164	7zFM.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 3164	3124	cmd.exe	87
PID 3124 wrote to memory of 3164	3124	cmd.exe	87
PID 4908 wrote to memory of 532	4908	Set-up.exe	108
PID 4908 wrote to memory of 532	4908	Set-up.exe	108
PID 4908 wrote to memory of 532	4908	Set-up.exe	108
PID 4908 wrote to memory of 532	4908	Set-up.exe	108
PID 532 wrote to memory of 1592	532	ftp.exe	111
PID 532 wrote to memory of 1592	532	ftp.exe	111
PID 532 wrote to memory of 1592	532	ftp.exe	111
PID 532 wrote to memory of 1592	532	ftp.exe	111
PID 532 wrote to memory of 1592	532	ftp.exe	111

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3164

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\Set-up.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\SysWOW64\ftp.exe
  C:\Windows\SysWOW64\ftp.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\Aut2exe.au3
    C:\Users\Admin\AppData\Local\Temp\Aut2exe.au3
    3⤵
    - Loads dropped DLL
    PID:1592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 2184
      4⤵
      Program crash
      PID:2432

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\ReadMe(!).txt
1⤵
- Opens file in notepad (likely ransom note)
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1592 -ip 1592
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\471e671a

Filesize
2.1MB

MD5
38b75d8a4ab04c1d8f967ca689a51481

SHA1
de06b7152ee5e9b9660b189c21efd34b95ea9394

SHA256
340bdbf02e6e9bd3fbb691beecf8355c26c5f2c717dde56f9329137fd263fbe8

SHA512
adbf0321331263d46619f68bfc87445f47f7e54fc3af7bb578b519720967f087930d1f656dcf2cd270dbdc4a4ff449a11777802fe9504500d4a23694aa95f926

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aut2exe.au3

Filesize
1.3MB

MD5
88d518a90f4187b4542618cd328d7a34

SHA1
fa5fd671f8aabce769f82b960634d54c4a27e502

SHA256
5affc1a22d87715d5da70bfddb081335ca0a382b9cc4a54e18263047a76d5d81

SHA512
a1ed751ba7518dcb2cf9ab821fa28690d8f4a41238e4b8d97b37c00eef5662147dea600c90a7192142808f6668f8d252372e0712415d0fb7b9d1faa53b2b7769

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\Data\level4.resS

Filesize
128KB

MD5
64d183ad524dfcd10a7c816fbca3333d

SHA1
5a180d5c1f42a0deaf475b7390755b3c0ecc951c

SHA256
5a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a

SHA512
3cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\ReadMe(!).txt

Filesize
2KB

MD5
c5a0d35bd3eb75c9251f509b6501b1db

SHA1
60b7dd5e266bebbcf2ae77fe807aa15bfdc1d66e

SHA256
4cb490a74d0bd419c74d0a4cf425742e993f650c5f2ffe2c81f413694129447e

SHA512
f8895a2e1144bc6d3b37470f61ea5789da7ba76b8fd9e4753298e276ce9a30140c2ebfdb3bfe5178c60ddad04d6fff51ea9182f34afddb5a45281c72da30e22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\Set-up.exe

Filesize
1.1MB

MD5
f975a2d83d63a473fa2fc5206b66bb79

SHA1
e49d21f112ab27ae0953aff30ae122440cf164b9

SHA256
6a2d3876003f6c68f824df4f0033564d8c230716908ba2e6c06ea1dd6d5f98e8

SHA512
4af4ce56bf131432d488ed112f8858c1e1392d013c6ac0603f2fd70ed513091e35854c0f678efeab7fa9a551517c6b9698f40a92729112de4b852fa3c0c69d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\berley.asp

Filesize
86KB

MD5
0c9c366aa9938df153c406db65debe82

SHA1
d1962e88cd821a7d4f6968a885088bd218c420a3

SHA256
84c71e834509c745df5e8e5ea35612b6fcf29f6b8e1bd6029b1f0a5985019a9c

SHA512
7703f27113cc22ce349b3a7dc4a3e619c01daf3b0becf5457c6dbee400b8ffb80559084f20e93120fbc2f744df5c6fb08b8905b9138776785ae21e1c56c2f7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\complot.ppt

Filesize
1.8MB

MD5
dae50482d640385a5665272cd1f716df

SHA1
d68f440af05e201e1dbdc880bc03865c310e82b8

SHA256
1e65d884696b3dd0fed8e2775832361926d29e235cd2786b26d6fe2da2375304

SHA512
b3268a0e4091316e14e5f6cf994227b974cda67ece7295f0b2125d17065dca90110434a0faeeb40ae614daefa5741668a48b201d1694d24d5c7f4ecfebe16702

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\msedge_elf.dll

Filesize
3.9MB

MD5
af273f24b4417dce302cf1923fb56c71

SHA1
c5a3b635b49770023702bb36aaf9aaa0de2953fb

SHA256
f9ed651226a734f781e881141c88caa5f0a77e56458d0c567989b5797d39226f

SHA512
4670989a28bcf18b2101f7e7a5bc1de5cec9327c259e812a09650b46cdfa1d2b393c04f691ff6f40e03e023b5b85271ad9e969f13f33f29834b51e1ef5a280e8

Download Submit
memory/532-546-0x00007FF97E1B0000-0x00007FF97E3A5000-memory.dmp

Filesize
2.0MB

Download
memory/532-550-0x0000000075470000-0x00000000755EB000-memory.dmp

Filesize
1.5MB

Download
memory/532-551-0x0000000075470000-0x00000000755EB000-memory.dmp

Filesize
1.5MB

Download
memory/532-555-0x0000000075470000-0x00000000755EB000-memory.dmp

Filesize
1.5MB

Download
memory/1592-558-0x00007FF97E1B0000-0x00007FF97E3A5000-memory.dmp

Filesize
2.0MB

Download
memory/1592-563-0x0000000000E40000-0x0000000001085000-memory.dmp

Filesize
2.3MB

Download
memory/1592-564-0x0000000000E40000-0x0000000001085000-memory.dmp

Filesize
2.3MB

Download
memory/4908-543-0x00007FF95F540000-0x00007FF95F6B2000-memory.dmp

Filesize
1.4MB

Download
memory/4908-542-0x00007FF95F540000-0x00007FF95F6B2000-memory.dmp

Filesize
1.4MB

Download
memory/4908-538-0x00007FF95F540000-0x00007FF95F6B2000-memory.dmp

Filesize
1.4MB

Download

Resubmissions

Analysis

Sharing