vidar | 979e872622b1ae7ca6e9cb3599de8e400b3bfe537d3cb64261dffaa7956baa50

Analysis

max time kernel
1740s
max time network
1751s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

@#LATEST_SoftWare_2024_PASSCODE_$.rar
Size

51.5MB
MD5

c7c3d6aaa70594d6df0b8f3f40a7e2f6
SHA1

74f4da75221222f336009025a358366eaf6c1d68
SHA256

979e872622b1ae7ca6e9cb3599de8e400b3bfe537d3cb64261dffaa7956baa50
SHA512

c23ea4a4c280a529e798a89525fa14b02156d18e8029edb93920dcc1144d1346eb5ff18ebbc80caf55ab391205d7fa0b19d5dab1e029db523648e4b26f7af0b1
SSDEEP

786432:dMPQ7x53FKvsZTMlKxppk7c8joaJ6eWd7Gt9BZjQZfDG3q9PhUwuMr+NegCHR:dMP+/3F6StAoalWd7wOFawVRj

Score

10^/10

vidar 04eb8f77b9c9e4d5a6a6e5a3b727c27e stealer

Malware Config

Extracted

Family

vidar

Botnet

04eb8f77b9c9e4d5a6a6e5a3b727c27e

https://graims.xyz

https://steamcommunity.com/profiles/76561199677575543

https://t.me/snsb82

Attributes

profile_id_v2
04eb8f77b9c9e4d5a6a6e5a3b727c27e
user_agent
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral3/memory/3036-404-0x0000000001100000-0x0000000001852000-memory.dmp	family_vidar_v7
behavioral3/memory/3036-410-0x0000000001100000-0x0000000001852000-memory.dmp	family_vidar_v7
behavioral3/memory/3036-412-0x0000000001100000-0x0000000001852000-memory.dmp	family_vidar_v7
behavioral3/memory/2012-418-0x0000000000570000-0x0000000000CC2000-memory.dmp	family_vidar_v7
behavioral3/memory/2012-421-0x0000000000570000-0x0000000000CC2000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Executes dropped EXE 2 IoCs

pid	Process
1936	Setup.exe
3272	Setup.exe

Loads dropped DLL 11 IoCs

pid	Process
1936	Setup.exe
1936	Setup.exe
1936	Setup.exe
1936	Setup.exe
1936	Setup.exe
3272	Setup.exe
3272	Setup.exe
3272	Setup.exe
3272	Setup.exe
3036	PsExec.exe
2012	PsExec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1936 set thread context of 3148	1936	Setup.exe	104
PID 3272 set thread context of 3596	3272	Setup.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2344	3036	WerFault.exe	106
2084	2012	WerFault.exe	114

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1936	Setup.exe
1936	Setup.exe
3148	ftp.exe
3148	ftp.exe
3272	Setup.exe
3272	Setup.exe
3596	ftp.exe
3596	ftp.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1936	Setup.exe
3148	ftp.exe
3272	Setup.exe
3596	ftp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4868	7zFM.exe
Token: 35	4868	7zFM.exe
Token: SeSecurityPrivilege	4868	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4868	7zFM.exe
4868	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
712	OpenWith.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 3148	1936	Setup.exe	104
PID 1936 wrote to memory of 3148	1936	Setup.exe	104
PID 1936 wrote to memory of 3148	1936	Setup.exe	104
PID 1936 wrote to memory of 3148	1936	Setup.exe	104
PID 3148 wrote to memory of 3036	3148	ftp.exe	106
PID 3148 wrote to memory of 3036	3148	ftp.exe	106
PID 3148 wrote to memory of 3036	3148	ftp.exe	106
PID 3148 wrote to memory of 3036	3148	ftp.exe	106
PID 3148 wrote to memory of 3036	3148	ftp.exe	106
PID 3272 wrote to memory of 3596	3272	Setup.exe	108
PID 3272 wrote to memory of 3596	3272	Setup.exe	108
PID 3272 wrote to memory of 3596	3272	Setup.exe	108
PID 3272 wrote to memory of 3596	3272	Setup.exe	108
PID 3596 wrote to memory of 2012	3596	ftp.exe	114
PID 3596 wrote to memory of 2012	3596	ftp.exe	114
PID 3596 wrote to memory of 2012	3596	ftp.exe	114
PID 3596 wrote to memory of 2012	3596	ftp.exe	114
PID 3596 wrote to memory of 2012	3596	ftp.exe	114

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\@#LATEST_SoftWare_2024_PASSCODE_$.rar
1⤵
- Modifies registry class
PID:1564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2736

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\@#LATEST_SoftWare_2024_PASSCODE_$.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4868

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\ftp.exe
  C:\Windows\SysWOW64\ftp.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\PsExec.exe
    C:\Users\Admin\AppData\Local\Temp\PsExec.exe
    3⤵
    - Loads dropped DLL
    PID:3036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1460
      4⤵
      Program crash
      PID:2344

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Windows\SysWOW64\ftp.exe
  C:\Windows\SysWOW64\ftp.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\PsExec.exe
    C:\Users\Admin\AppData\Local\Temp\PsExec.exe
    3⤵
    - Loads dropped DLL
    PID:2012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1452
      4⤵
      Program crash
      PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3036 -ip 3036
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2012 -ip 2012
1⤵
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16375d56

Filesize
6.6MB

MD5
94cee090975b8f8e69692eec508a6492

SHA1
774d7902b41e9f58d528e1fce3ddd409dceeddbb

SHA256
5b575468c946e022afa7cc296c45554ff82dd815c958e3913a8f555a7617bbdb

SHA512
88532e972c819868dde604d0c58c7b7f89a71a514aed35033b0feb2c135991a198d45eb7b0f6ddcee45256108c06feb75dde029c3a21c92a20f5e17d909f2986

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsExec.exe

Filesize
699KB

MD5
24a648a48741b1ac809e47b9543c6f12

SHA1
3e2272b916da4be3c120d17490423230ab62c174

SHA256
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

SHA512
b974ce956f2e922e92ca414d1bd6cc7bcb36bc44532b28b392f2a8052d6d47fd742841c4add6ec5c8283d28d7245b1704af34a523917e49cef007eef700a0b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae82d765

Filesize
6.6MB

MD5
7d959e304e87ed81494b634fc10c6a4a

SHA1
92c25d2dbffabb54312339eabe993ea2f18c1add

SHA256
345d7b1067c746d8297a715ee2c8bf74410d39a866f86b2b587abce9be571ea4

SHA512
102526ac292f39e38d2623fa53ac3f0b44a7e2741dfbbabf0794250a22ae1b3e57fc5d564e1aeaf08a3c2b93d5afd104a339dfe5e45ff6c086995345d645f3b5

Download Submit
C:\Users\Admin\Desktop\Setup.exe

Filesize
31KB

MD5
67dedab5bc0159f7cc61cb4b46daa6f1

SHA1
5d57ef4bd9b6ac672c413c5e8495263672f090e3

SHA256
0e6f5eaa2cd91747213f6aec05e3de6fb46ea2b7cf4d5f3ac267128abc784d00

SHA512
4c7ed5d6e0a76ac6eec79e50ae9cd4b5fe3eacda574606e47d85bba1739902d688aa6f5ec03e7863ec9d36bdadf6229f64bce8fe33bacf38e84e50332a30caf0

Download Submit
C:\Users\Admin\Desktop\bersagliere.yml

Filesize
52KB

MD5
5c1674067e3ef99382ab283fc7e969e3

SHA1
3c2fe52472aaedf690bab16fa801bbe4b36002cf

SHA256
91fd630301631b88685602bf0d7353585c18e589189ed11ec620b37021683553

SHA512
17f6fb9675c6f106789dba4e3df8adcaf4a297ad08bc28a223694e2080d61e7901a612b1c4dab674467241ddeb72597bc19db866247debdc0e32480bd53f9ac2

Download Submit
C:\Users\Admin\Desktop\bivouac.m4a

Filesize
6.0MB

MD5
a1eaf011cca5726076ccfca62fd90a11

SHA1
b92e274b4793d2f4e69111ccdf93182e7e7ddb64

SHA256
11336a2aa99ff767dc4e547f8ce5924abeb2e440f6373e82dbd13c5c3ac873ff

SHA512
ffa07420d4a8a3a9828d079f5ff043f1c70704bcac74d10d59bdd52d56e84aad39cd14610c53b8229710b5faccccd3d58a1e8ce36fc472df58cec5802acf1402

Download Submit
C:\Users\Admin\Desktop\glib-2.0.dll

Filesize
1.0MB

MD5
2c86ec2ba23eb138528d70eef98e9aaf

SHA1
246846a3fe46df492f0887a31f7d52aae4faa71a

SHA256
030983470da06708cc55fd6aca92df199a051922b580db5db55c8cb6b203b51b

SHA512
396a3883fa65d7c3a0af7d607001a6099316a85563147cb34fa9806c9a4b39cfa90c7fa9eb4456399977eb47438d10896d25ed5327ae7aa3e3ae28cd1d13701c

Download Submit
C:\Users\Admin\Desktop\iconv.dll

Filesize
1.1MB

MD5
862dfc9bf209a46d6f4874614a6631cc

SHA1
43216aae64df217cba009145b6f9ad5b97fe927a

SHA256
84538f1aacebf9daad9fdb856611ab3d98a6d71c9ec79a8250eee694d2652a8b

SHA512
b0611cd9ad441871cca62291913197257660390fa4ea8a26cb41dc343a8a27ae111762de40c6f50cae3e365d8891500fc6ad0571aa3cd3a77eb83d9d488d19a8

Download Submit
C:\Users\Admin\Desktop\intl.dll

Filesize
87KB

MD5
d1a21e38593fddba8e51ed6bf7acf404

SHA1
759f16325f0920933ac977909b7fe261e0e129e6

SHA256
6a64c9cb0904ed48ce0d5cda137fcfd6dd463d84681436ca647b195aa2038a7e

SHA512
3f4390603cd68d949eb938c1599503fb1cbb1b8250638e0985fad2f40f08d5e45ea4a8c149e44a50c6aa9077054387c48f71b53bf06b713ca1e73a3d5a6a6c2e

Download Submit
C:\Users\Admin\Desktop\vmtools.dll

Filesize
617KB

MD5
f59ab22b88d1b2081810739c72bfa307

SHA1
e8c4651f185225b3da91e2e24a17fcb95fc40773

SHA256
0388d021f33fb0b922011854e3b49427c4ab38689f7d1ce663e9def6edc323f4

SHA512
e67c93b2b6eeeeb95396e6c7cf7217cc8503d8e6824a7941d6fb2d971049abeb974e880392868b0687b16eef41cdb70ef70b70fa92ab284d863105324ab819dd

Download Submit
memory/1936-365-0x00000000744C0000-0x000000007463B000-memory.dmp

Filesize
1.5MB

Download
memory/1936-366-0x00007FFF46230000-0x00007FFF46425000-memory.dmp

Filesize
2.0MB

Download
memory/1936-373-0x00000000744C0000-0x000000007463B000-memory.dmp

Filesize
1.5MB

Download
memory/2012-421-0x0000000000570000-0x0000000000CC2000-memory.dmp

Filesize
7.3MB

Download
memory/2012-418-0x0000000000570000-0x0000000000CC2000-memory.dmp

Filesize
7.3MB

Download
memory/2012-420-0x00007FFF46230000-0x00007FFF46425000-memory.dmp

Filesize
2.0MB

Download
memory/3036-410-0x0000000001100000-0x0000000001852000-memory.dmp

Filesize
7.3MB

Download
memory/3036-404-0x0000000001100000-0x0000000001852000-memory.dmp

Filesize
7.3MB

Download
memory/3036-406-0x00007FFF46230000-0x00007FFF46425000-memory.dmp

Filesize
2.0MB

Download
memory/3036-412-0x0000000001100000-0x0000000001852000-memory.dmp

Filesize
7.3MB

Download
memory/3148-378-0x00000000744C0000-0x000000007463B000-memory.dmp

Filesize
1.5MB

Download
memory/3148-376-0x00007FFF46230000-0x00007FFF46425000-memory.dmp

Filesize
2.0MB

Download
memory/3272-407-0x00000000744C0000-0x000000007463B000-memory.dmp

Filesize
1.5MB

Download
memory/3272-389-0x00007FFF46230000-0x00007FFF46425000-memory.dmp

Filesize
2.0MB

Download
memory/3272-388-0x00000000744C0000-0x000000007463B000-memory.dmp

Filesize
1.5MB

Download
memory/3596-411-0x00007FFF46230000-0x00007FFF46425000-memory.dmp

Filesize
2.0MB

Download