vidar | c1be767404a3d71717a54b01ebfa91ebff578dad8dd518a1a49012bcf012738e

Resubmissions

27/07/2024, 17:08

240727-vnrrpszapr 10

24/07/2024, 13:55

240724-q8e67aygrr 10

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe
Size

5.3MB
MD5

f109fd54fa6c14302beff44d666a6ade
SHA1

912ad7378e837b82524c7d41e9792242bc5feacc
SHA256

29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b
SHA512

38fb7b93975931cdedbd360672ac51a75de4a59883419ee46b4e739ebf1f13dfa9703062c4bba2df7cd717a5b089e364f33eb42b9fd2a703aac78da6eeeef69c
SSDEEP

49152:7ccw6QFnEEabMHciiW/LhKq3FWhR3PIa1p0seWJb9sMS0Z0fCnZ0qstZNweCRmeF:7PIKEabM87W/KIatvBaqstZsRmqEQ

Score

10^/10

vidar b607a7a47e1a6ff266af835d50c6eaa5 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

10.5

Botnet

b607a7a47e1a6ff266af835d50c6eaa5

https://t.me/s41l0

https://steamcommunity.com/profiles/76561199743486170

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral14/memory/4928-66-0x0000000000400000-0x0000000000640000-memory.dmp	family_vidar_v7
behavioral14/memory/4928-68-0x0000000000400000-0x0000000000640000-memory.dmp	family_vidar_v7
behavioral14/memory/4928-72-0x0000000000400000-0x0000000000640000-memory.dmp	family_vidar_v7
behavioral14/memory/4928-84-0x0000000000400000-0x0000000000640000-memory.dmp	family_vidar_v7
behavioral14/memory/4928-148-0x0000000000400000-0x0000000000640000-memory.dmp	family_vidar_v7
behavioral14/memory/4928-151-0x0000000000400000-0x0000000000640000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1572 set thread context of 4928	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	90

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3232	timeout.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe
1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe
1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe
1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe
1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe
1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe
1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe
1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe
4928	MSBuild.exe
4928	MSBuild.exe
4928	MSBuild.exe
4928	MSBuild.exe
4928	MSBuild.exe
4928	MSBuild.exe
4928	MSBuild.exe
4928	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1804	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	86
PID 1572 wrote to memory of 1804	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	86
PID 1572 wrote to memory of 1804	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	86
PID 1572 wrote to memory of 3028	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	87
PID 1572 wrote to memory of 3028	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	87
PID 1572 wrote to memory of 3028	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	87
PID 1572 wrote to memory of 1628	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	88
PID 1572 wrote to memory of 1628	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	88
PID 1572 wrote to memory of 1628	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	88
PID 1572 wrote to memory of 1556	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	89
PID 1572 wrote to memory of 1556	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	89
PID 1572 wrote to memory of 1556	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	89
PID 1572 wrote to memory of 4928	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	90
PID 1572 wrote to memory of 4928	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	90
PID 1572 wrote to memory of 4928	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	90
PID 1572 wrote to memory of 4928	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	90
PID 1572 wrote to memory of 4928	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	90
PID 1572 wrote to memory of 4928	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	90
PID 1572 wrote to memory of 4928	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	90
PID 1572 wrote to memory of 4928	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	90
PID 1572 wrote to memory of 4928	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	90
PID 1572 wrote to memory of 4928	1572	29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe	90
PID 4928 wrote to memory of 2052	4928	MSBuild.exe	102
PID 4928 wrote to memory of 2052	4928	MSBuild.exe	102
PID 4928 wrote to memory of 2052	4928	MSBuild.exe	102
PID 2052 wrote to memory of 3232	2052	cmd.exe	104
PID 2052 wrote to memory of 3232	2052	cmd.exe	104
PID 2052 wrote to memory of 3232	2052	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe
"C:\Users\Admin\AppData\Local\Temp\29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EHDGCGIDAKEB" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CBGCBKFBGI.exe

Filesize
670B

MD5
6964e33aa600364f7e686c012ae58ca4

SHA1
433429e9cf47708027caa420471d32cfa5757b4f

SHA256
c32fc317c2f817064193f0fed06ca69e2485e2f142cc48ca1e8c39a7d4bdd302

SHA512
1037e71903bf0f74bd79fd6103378a55c8b90a9df8e7188e0bee84861b3a9542a754e10c759ee9380f7900b34aa066677b67b85364535d50beea945b67fce7b1

Download Submit
C:\ProgramData\EGDBAFHJJD.exe

Filesize
953B

MD5
6ca86973f8e850933509249965b9ff40

SHA1
0300467b5ad6ebd2b359055532575fbb02146764

SHA256
a6581dbc0708985a12bec756110de28d831d4e6771c5a99e04c04ab4147d8b4e

SHA512
03df8c140c279034a1a1ac3fe26e8612b934663c7fe301d6bd99bcadef23902be21967ef5a5334388412989dfe57a1aaa74164f57976e3ea0f59589151b35d63

Download Submit
memory/1572-43-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-55-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-4-0x00000000057B0000-0x000000000593A000-memory.dmp

Filesize
1.5MB

Download
memory/1572-5-0x00000000054E0000-0x00000000054FC000-memory.dmp

Filesize
112KB

Download
memory/1572-51-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-65-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-1-0x0000000000700000-0x0000000000C4C000-memory.dmp

Filesize
5.3MB

Download
memory/1572-2-0x0000000005540000-0x00000000055DC000-memory.dmp

Filesize
624KB

Download
memory/1572-70-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-63-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-71-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-6-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-61-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-35-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-57-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-37-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-53-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-49-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-47-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-45-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-0-0x000000007531E000-0x000000007531F000-memory.dmp

Filesize
4KB

Download
memory/1572-41-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-3-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-39-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-59-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-33-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-31-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-29-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-27-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-25-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-23-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-21-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-19-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-17-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-15-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-13-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-11-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-9-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/1572-7-0x00000000054E0000-0x00000000054F5000-memory.dmp

Filesize
84KB

Download
memory/4928-72-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/4928-84-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/4928-68-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/4928-66-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/4928-148-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/4928-151-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download