vidar | c2986293fd3df49bad0878f59433be96eb97b16cfe259932bfa780855c50789b

Analysis

max time kernel
120s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a.exe
Size

761KB
MD5

5cb4491917b380b33e06098568d2f9de
SHA1

b14f249e790765f0e7944a00a2dca4db3a761771
SHA256

d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a
SHA512

29c5436cb99702771eabc1af975cbc836666b3cee07f36ec4c7aa0711af85602c12b84495f1f273a19bc2b709d36d396f1a5b6fd6605a7f22e247a59c835ba16
SSDEEP

12288:ifL/nwJZyU+sbjH/lOmPKm/6kwNls5Ht6ygEuTHHtKH0y4bGufUF4KwMrcl8b+C+:ifL/nIEIH/FPRtwNlsX/gbTn+SNfLKwx

Score

10^/10

vidar stealer

Malware Config

Signatures

Detect Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2672-32-0x0000000005030000-0x0000000005278000-memory.dmp	family_vidar_v7
behavioral2/memory/2672-31-0x0000000005030000-0x0000000005278000-memory.dmp	family_vidar_v7
behavioral2/memory/2672-30-0x0000000005030000-0x0000000005278000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a.exe

Executes dropped EXE 1 IoCs

Processes:

Interpreted.pif

pid process

2672 Interpreted.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4296 2672 WerFault.exe Interpreted.pif
4864 2672 WerFault.exe Interpreted.pif
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

5044 tasklist.exe
996 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3092 PING.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Interpreted.pif

pid process

2672 Interpreted.pif
2672 Interpreted.pif
2672 Interpreted.pif
2672 Interpreted.pif
2672 Interpreted.pif
2672 Interpreted.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 5044 tasklist.exe
Token: SeDebugPrivilege 996 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Interpreted.pif

pid process

2672 Interpreted.pif
2672 Interpreted.pif
2672 Interpreted.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Interpreted.pif

pid process

2672 Interpreted.pif
2672 Interpreted.pif
2672 Interpreted.pif

pid	process
2672	Interpreted.pif

pid	pid_target	process	target process
4296	2672	WerFault.exe	Interpreted.pif
4864	2672	WerFault.exe	Interpreted.pif

pid	process
5044	tasklist.exe
996	tasklist.exe

pid	process
3092	PING.EXE

pid	process
2672	Interpreted.pif
2672	Interpreted.pif
2672	Interpreted.pif
2672	Interpreted.pif
2672	Interpreted.pif
2672	Interpreted.pif

description	pid	process
Token: SeDebugPrivilege	5044	tasklist.exe
Token: SeDebugPrivilege	996	tasklist.exe

pid	process
2672	Interpreted.pif
2672	Interpreted.pif
2672	Interpreted.pif

pid	process
2672	Interpreted.pif
2672	Interpreted.pif
2672	Interpreted.pif

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a.execmd.exe

description	pid	process	target process
PID 3972 wrote to memory of 1704	3972	d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a.exe	cmd.exe
PID 3972 wrote to memory of 1704	3972	d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a.exe	cmd.exe
PID 3972 wrote to memory of 1704	3972	d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a.exe	cmd.exe
PID 1704 wrote to memory of 5044	1704	cmd.exe	tasklist.exe
PID 1704 wrote to memory of 5044	1704	cmd.exe	tasklist.exe
PID 1704 wrote to memory of 5044	1704	cmd.exe	tasklist.exe
PID 1704 wrote to memory of 2116	1704	cmd.exe	findstr.exe
PID 1704 wrote to memory of 2116	1704	cmd.exe	findstr.exe
PID 1704 wrote to memory of 2116	1704	cmd.exe	findstr.exe
PID 1704 wrote to memory of 996	1704	cmd.exe	tasklist.exe
PID 1704 wrote to memory of 996	1704	cmd.exe	tasklist.exe
PID 1704 wrote to memory of 996	1704	cmd.exe	tasklist.exe
PID 1704 wrote to memory of 2188	1704	cmd.exe	findstr.exe
PID 1704 wrote to memory of 2188	1704	cmd.exe	findstr.exe
PID 1704 wrote to memory of 2188	1704	cmd.exe	findstr.exe
PID 1704 wrote to memory of 3276	1704	cmd.exe	cmd.exe
PID 1704 wrote to memory of 3276	1704	cmd.exe	cmd.exe
PID 1704 wrote to memory of 3276	1704	cmd.exe	cmd.exe
PID 1704 wrote to memory of 1600	1704	cmd.exe	findstr.exe
PID 1704 wrote to memory of 1600	1704	cmd.exe	findstr.exe
PID 1704 wrote to memory of 1600	1704	cmd.exe	findstr.exe
PID 1704 wrote to memory of 4884	1704	cmd.exe	cmd.exe
PID 1704 wrote to memory of 4884	1704	cmd.exe	cmd.exe
PID 1704 wrote to memory of 4884	1704	cmd.exe	cmd.exe
PID 1704 wrote to memory of 1440	1704	cmd.exe	cmd.exe
PID 1704 wrote to memory of 1440	1704	cmd.exe	cmd.exe
PID 1704 wrote to memory of 1440	1704	cmd.exe	cmd.exe
PID 1704 wrote to memory of 2672	1704	cmd.exe	Interpreted.pif
PID 1704 wrote to memory of 2672	1704	cmd.exe	Interpreted.pif
PID 1704 wrote to memory of 2672	1704	cmd.exe	Interpreted.pif
PID 1704 wrote to memory of 3092	1704	cmd.exe	PING.EXE
PID 1704 wrote to memory of 3092	1704	cmd.exe	PING.EXE
PID 1704 wrote to memory of 3092	1704	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a.exe
"C:\Users\Admin\AppData\Local\Temp\d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Graduation Graduation.bat && Graduation.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
3⤵
PID:2116

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
3⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
cmd /c md 2802
3⤵
PID:3276

C:\Windows\SysWOW64\findstr.exe
findstr /V "GnomeWednesdayAuburnGreenhouse" Recorded
3⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 2802\Interpreted.pif + Supervisor + Essay + Evaluating + Masters + He 2802\Interpreted.pif
3⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Radical + Vcr + Began 2802\D
3⤵
PID:1440

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif
2802\Interpreted.pif 2802\D
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1552
4⤵
- Program crash
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1508
4⤵
- Program crash
PID:4864

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
3⤵
- Runs ping.exe
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2672 -ip 2672
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2672 -ip 2672
1⤵
PID:3352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\D
Filesize
532KB

MD5
8215d0f66e1bf9713f31e642f16bb9d8

SHA1
ed8e83037cafa91328e393d0b918b02af23a0192

SHA256
916a6ace04f4670a8893c504c54fa29ec90a53602bc57c09582f4acfbc52991d

SHA512
b3925a6686feb3f22dea621a42265105f0c54ce98fb5339941b772d86e0f13de0847605b8d132bd245901b0a9aca353f51dcc304b6772343d402f6dd405a8f2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif
Filesize
25B

MD5
fd52a26cc53d5dfce3bfaf0aca96d85a

SHA1
295cb026b9fc87fb41fcb5911831cf7ec8986aa0

SHA256
9e7be5dc178aa7a50c756baf297b0c5a5b3c13ce35a3723af5dba8ee5eb39b2e

SHA512
b2f83892ab09d73d36a8d28e6f53b88ba4f0c4632143b7f84e4da333960cac6969719bda23c173cf03665ce8bc36c533a41080240aa53bac3975c94d79403d26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif
Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Began
Filesize
8KB

MD5
c77b16e97f7769108cef3aeeb9144412

SHA1
38a369ccde64420a2824b9af2e60aa8795fc2007

SHA256
ad233869d1b63220d128ee84914215c456ed4e58711886778ff3ab138e092dea

SHA512
05422dcda50c156a3846702c6dc90903bd78a36bac8b4a8783341e997a633ce988acc996997898e07ca56350fd6b184027b441672a60775216cd2bc281eaee12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Essay
Filesize
82KB

MD5
11c50adff3c20b5b868d4bfacc3c08af

SHA1
ec8896a174c85c984ee94a02ac1d70b92a14252e

SHA256
d777d67f3646834596fd3aa8dafdefb049fc258512a27dff2a58749b51c982ef

SHA512
8d1936edd50661841dbe25c15ea7e9d8c01263054e92dbfad9a018df241bd6d64b273e258d3f8069f64c419479e98c4dad02369ffb84ebeda14fca355ce14046

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Evaluating
Filesize
289KB

MD5
b20ec0246a0098216b7b1f21dcb632d3

SHA1
d6f1c7d6261ce60c2cbc66b0ef798dbde80b60d7

SHA256
be541fd93f849c92060d2a22a8a8afea4b2fe1d21436a1c8be860f7080f5681c

SHA512
e029c1adff333c1488256df14f1a979b736f1a34e6740e4315d99cc38d1f3098004e1a643937d8ca92cb043ca78e75ed4756515d21f9fe34b573d56bf8f23e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Graduation
Filesize
11KB

MD5
da02baea87a774e563b759962c831ea3

SHA1
d65ee5057a6974da4ff5815647b6354db3ac7010

SHA256
411217f7cdacd2134b937255cf31400f15bb92b6550cf663f67447118898baac

SHA512
5c1405245714578862718480118a637510bd9ad7585e85e9089a9d4e83784d736a7d13fa1e996a9c2a9a3e282afb6fc8435ece8734c4b954483e51b83a2d020e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\He
Filesize
47KB

MD5
6b322202c85be84c449354b8ffb72486

SHA1
9fc8af9a7d8c084b1861b06f7c593924b7d7e06c

SHA256
e869264685bb4951c93f81cba8697d2b714bcde80a8d7791cee5764efb6710e7

SHA512
df8a425797897dd4a7a50af229edf168da0f7158b6da2957c5976a2d4278ae60655864ec3b2c4d88ea8b45691eda3cbb6be59d00a544a06d6eb6c7e3907ae3d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Masters
Filesize
245KB

MD5
297667b5ffbac79814bb1b8725a4fa71

SHA1
cc0e1f0cc4f460088b6d0649068c143734657263

SHA256
a822143e9fdbaa44cf4971a42f94bf82bebef96b86a8c89651aad45db6a03fe0

SHA512
7e53ad1fd548f66bb841bd831030d54016646018457015c0b8f65358b53a080f614a0d82964da5388bb14818c7ef955708717bcfc9a29ade0265e7e5099e985f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Radical
Filesize
272KB

MD5
9ab2ca2a20e5f2bd316208a1217c3467

SHA1
89a541c6151199a54a8789771fc8abca0d008934

SHA256
203a18bc06969b91597b1c6f77646a109f17bd533d71bb52cf3b4144e920f7c0

SHA512
8bc69f6ff0f7db2ab54b7b9534b8a15e744d70dece274cf0365f8cdaf1793778a1897f0311a640b5774189c08dbd3f56fd1eb915da7a93d38fb159fd47482753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Recorded
Filesize
57B

MD5
5b493864bb88a3e8b5bec29f03079481

SHA1
512cb1273824209741ec7edff4b44ba1021906e1

SHA256
efeb5b344808ebd2f5fae26dade7e472f3d64d106a9e7ef23da5f751899b6e72

SHA512
419ab7a48eba12702e748618b21a69a8f4fcb57b998061506af3963d2b2cbd370b161b2ad9d6643dc0ce217b97f69621d783ccee658d038007b8e1cbcfb125b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Supervisor
Filesize
258KB

MD5
995f9dfbb78bbc6ff6e9052d4339723b

SHA1
442c477bd7ffe4c307f24f1a6cd1a7a697b7cc89

SHA256
7003d3092db436f9d544f57e743701006c5f23c326faaa36af5accddc61a4c16

SHA512
686dc6d5ae76a6f31eabb48644af466b1201b0fefcdb0ec350570114ec2f798bbbe3df6030a9dd9a6faf8e6624fbcb966698a8977799ed704122506d6b1c5770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Vcr
Filesize
252KB

MD5
d09c285ed3170cd8bc77814fbe1bfc46

SHA1
02d88276965458d97f68b55df4c136bdfa7cbdf8

SHA256
2a579e89be6e5800a865d3a7ec7191418d24c33cba0f95664d6c138405a95ebc

SHA512
e4498b3dd3fe931cfea3ae1ad4f93b06814cc3c582117041bb69d5dc527b1523787fbb5d2d726e621d2b0432e1977a8e0e1707391a6822fc79b8feeaf5d6435f

Download Submit
memory/2672-29-0x0000000005030000-0x0000000005278000-memory.dmp

Filesize
2.3MB

Download
memory/2672-28-0x0000000005030000-0x0000000005278000-memory.dmp

Filesize
2.3MB

Download
memory/2672-27-0x0000000005030000-0x0000000005278000-memory.dmp

Filesize
2.3MB

Download
memory/2672-32-0x0000000005030000-0x0000000005278000-memory.dmp

Filesize
2.3MB

Download
memory/2672-31-0x0000000005030000-0x0000000005278000-memory.dmp

Filesize
2.3MB

Download
memory/2672-30-0x0000000005030000-0x0000000005278000-memory.dmp

Filesize
2.3MB

Download