vidar | 8435702911a3d6ebac7acef5aff7bc30395427892c1ddf39647b912a93260258

Analysis

max time kernel
94s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe
Size

1.1MB
MD5

165c328dfa78a39f3aa2889904fb49ae
SHA1

2c9456d25869b7c172deced0024d26c20254c067
SHA256

8435702911a3d6ebac7acef5aff7bc30395427892c1ddf39647b912a93260258
SHA512

963ffe6191d8b8e274677bd95c4a6e023313bb5060e2fac4012356405965cc784ca2b783401b8423f1dab56d378f86a54c4e7d6d410a2e49cfa701907471c0ef
SSDEEP

12288:00grFXz2n/uSZRDQDwAqvGz1AqIrwPKBXMftHG9aYWulFHCLQS5Ms8:/qFU/FcSuRoEPmXG1Yvnzp

Score

10^/10

vidar 2e711c8b5340db8e327be6ebd943b70a credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

10.6

Botnet

2e711c8b5340db8e327be6ebd943b70a

https://steamcommunity.com/profiles/76561199747278259

https://t.me/armad2a

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral2/memory/1484-24-0x0000000004630000-0x0000000004873000-memory.dmp	family_vidar_v7
behavioral2/memory/1484-25-0x0000000004630000-0x0000000004873000-memory.dmp	family_vidar_v7
behavioral2/memory/1484-26-0x0000000004630000-0x0000000004873000-memory.dmp	family_vidar_v7
behavioral2/memory/1484-28-0x0000000004630000-0x0000000004873000-memory.dmp	family_vidar_v7
behavioral2/memory/1484-29-0x0000000004630000-0x0000000004873000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Trainer.pif

Executes dropped EXE 1 IoCs

pid	Process
1484	Trainer.pif

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
5084	tasklist.exe
3100	tasklist.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ReplacedProper	SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe
File opened for modification	C:\Windows\TourismDover	SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe
File opened for modification	C:\Windows\GradMonster	SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe
File opened for modification	C:\Windows\EroticJohns	SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe
File opened for modification	C:\Windows\CivilMentor	SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe
File opened for modification	C:\Windows\TalkingFresh	SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe
File opened for modification	C:\Windows\AxisSounds	SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trainer.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Trainer.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Trainer.pif

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5048	timeout.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1484	Trainer.pif
1484	Trainer.pif
1484	Trainer.pif
1484	Trainer.pif
1484	Trainer.pif
1484	Trainer.pif
1484	Trainer.pif
1484	Trainer.pif
1484	Trainer.pif
1484	Trainer.pif
1484	Trainer.pif
1484	Trainer.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	tasklist.exe
Token: SeDebugPrivilege	3100	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1484	Trainer.pif
1484	Trainer.pif
1484	Trainer.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1484	Trainer.pif
1484	Trainer.pif
1484	Trainer.pif

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 100 wrote to memory of 2496	100	SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe	81
PID 100 wrote to memory of 2496	100	SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe	81
PID 100 wrote to memory of 2496	100	SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe	81
PID 2496 wrote to memory of 5084	2496	cmd.exe	83
PID 2496 wrote to memory of 5084	2496	cmd.exe	83
PID 2496 wrote to memory of 5084	2496	cmd.exe	83
PID 2496 wrote to memory of 4392	2496	cmd.exe	84
PID 2496 wrote to memory of 4392	2496	cmd.exe	84
PID 2496 wrote to memory of 4392	2496	cmd.exe	84
PID 2496 wrote to memory of 3100	2496	cmd.exe	86
PID 2496 wrote to memory of 3100	2496	cmd.exe	86
PID 2496 wrote to memory of 3100	2496	cmd.exe	86
PID 2496 wrote to memory of 1644	2496	cmd.exe	87
PID 2496 wrote to memory of 1644	2496	cmd.exe	87
PID 2496 wrote to memory of 1644	2496	cmd.exe	87
PID 2496 wrote to memory of 4208	2496	cmd.exe	90
PID 2496 wrote to memory of 4208	2496	cmd.exe	90
PID 2496 wrote to memory of 4208	2496	cmd.exe	90
PID 2496 wrote to memory of 3540	2496	cmd.exe	91
PID 2496 wrote to memory of 3540	2496	cmd.exe	91
PID 2496 wrote to memory of 3540	2496	cmd.exe	91
PID 2496 wrote to memory of 1808	2496	cmd.exe	92
PID 2496 wrote to memory of 1808	2496	cmd.exe	92
PID 2496 wrote to memory of 1808	2496	cmd.exe	92
PID 2496 wrote to memory of 1484	2496	cmd.exe	93
PID 2496 wrote to memory of 1484	2496	cmd.exe	93
PID 2496 wrote to memory of 1484	2496	cmd.exe	93
PID 2496 wrote to memory of 3372	2496	cmd.exe	94
PID 2496 wrote to memory of 3372	2496	cmd.exe	94
PID 2496 wrote to memory of 3372	2496	cmd.exe	94
PID 1484 wrote to memory of 2588	1484	Trainer.pif	99
PID 1484 wrote to memory of 2588	1484	Trainer.pif	99
PID 1484 wrote to memory of 2588	1484	Trainer.pif	99
PID 2588 wrote to memory of 5048	2588	cmd.exe	101
PID 2588 wrote to memory of 5048	2588	cmd.exe	101
PID 2588 wrote to memory of 5048	2588	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Lips Lips.cmd & Lips.cmd & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4392
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3100
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 736975
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4208
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "BooleanPrAntiBeneath" T
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Hawk + Batteries + Buf + Players 736975\s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1808
- - C:\Users\Admin\AppData\Local\Temp\736975\Trainer.pif
    Trainer.pif s
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\736975\Trainer.pif" & rd /s /q "C:\ProgramData\GHDHDBAECGCA" & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5048
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\736975\Trainer.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\736975\s

Filesize
285KB

MD5
3e229c21110ef93ff681ea69c7b30d8f

SHA1
3a94449decf3f21d853fc7dbc09e520e4c3b4fe9

SHA256
72b4471718c891f8c25a7526149dfa59774008ac74de973e524d964247f0097b

SHA512
ab4546d26b4279fd0f53554b89b87d12bed024b46fc1191cb82c25a04b35471087bc03edc71cf7e799c93751f10f3aa1503048aaed88c1729c5b9c5984d3fb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Batteries

Filesize
92KB

MD5
ea3c09bcb898319b776b3d63919fa504

SHA1
b963344145ebbc646df99279ec60e9fb5ae37732

SHA256
72e51a5968b0b35f1977f7342604daab95c7ae314d0940e84333468c752f3ad4

SHA512
9c7223369bca073630f7f575de2e910fa1a8939142ddcbea685ed763f52660aecad0131be008f4b40fd20cd87ad3200783261e927b2d72fd73bd05f0820c6778

Download Submit
C:\Users\Admin\AppData\Local\Temp\Buf

Filesize
86KB

MD5
8f42832b644e206b408dc3ae2f89acd5

SHA1
d5b61eb0a52e69e2957198b396ddfabd4d8066bb

SHA256
550dbf9411d5fd38c0388a5ee460dc8ad598c333192f31d053c382b731f361a5

SHA512
e440ed87b928cf155e3eaeb1facbe3a4e141cfb4b2e0852601adb00da326a1b4d75ce42dd6c308923d9df596351262443d108572ef961b360ba07e8ace21d3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hawk

Filesize
93KB

MD5
99900f51ef93bcc0931acba1a7662b3a

SHA1
393e7396ff590f4079c39bfa43089eeb554ecd9a

SHA256
f7e26320c270a2456fc5dd6632df62af3852c9a26dd5946003283abd6dec6c3b

SHA512
a192ea0128e81795b9fb92552a9b7e2f7533c690f6fd952416abc3ecf382b0c33c7ed25308ac9832e7c264d3d1b42605f406601e3e559a0de26ffa356cc83a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jersey

Filesize
871KB

MD5
f941cf7be37b239f2102bb05b3e36fb9

SHA1
f2c434c1e26ca4db3eb66f476b7459479eed0721

SHA256
be0b8bb3f6659c24d22062f4744672118a8b1e8eb53ebd2de5c3d9ca2472325e

SHA512
775cadba853a242ae6be79c2def769de498924651e12c452eb679855c777ff5f31a928df95cc0fcf08923c590bc5eb6cbe17368b214193b5ce99049788ccc36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lips

Filesize
10KB

MD5
d424f95514ea2f2ca227932c5d8b1a14

SHA1
c9e60f83ff0bac1c93628daaa9e2a11615bd058d

SHA256
2160dfa2ffe37e8de024bed55cf07d8309a2bdd05b7ae6b8c328406e11ae8639

SHA512
0c0a6a1e6b4057cb0df98d8b958e5ff422dcb30666519bb332dfc468bc93c7a2047680a0a9ce7fad5fe772a79410a81e91c51be8254f07eed80b0601318ec2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Players

Filesize
14KB

MD5
13f08c77471dfefa2ac2d9871ec958e5

SHA1
4ce74ff3db310d9f9a36e38b727962ad329fd18b

SHA256
e0e05fa17f39ea6686525bd9bdda4616d00e298a0b70cc6106d081cfcb7bfba8

SHA512
56d30daddc51d9633d35f19ef7c72945cc5d7e5d18fb2b2aa7c97d92f6de7b72ce6f7e3ba3c288ca6a114d9b2e7b15d4de8306fbb12bf96d6c4076b7c8c8cbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\T

Filesize
982B

MD5
3d794b01d9059eb20160ce36a870bf05

SHA1
f22a4e7d0d0eaf4d8c0b93c2eb2557f6203326a0

SHA256
31cd814281753e78d2592dd77aeb540539f20b6e9e87d6ff71a9dece9f6d1f09

SHA512
d0fb112aa8d5d0ed286a13df66bf4b36e49e327267ee34ba419422d09a70c9454022cc7c8ed7b2ec57ddf91a8af9c35fdc5c2f7be8b912a7c64ff56b5a4e6018

Download Submit
memory/1484-21-0x0000000004630000-0x0000000004873000-memory.dmp

Filesize
2.3MB

Download
memory/1484-22-0x0000000004630000-0x0000000004873000-memory.dmp

Filesize
2.3MB

Download
memory/1484-23-0x0000000004630000-0x0000000004873000-memory.dmp

Filesize
2.3MB

Download
memory/1484-24-0x0000000004630000-0x0000000004873000-memory.dmp

Filesize
2.3MB

Download
memory/1484-25-0x0000000004630000-0x0000000004873000-memory.dmp

Filesize
2.3MB

Download
memory/1484-26-0x0000000004630000-0x0000000004873000-memory.dmp

Filesize
2.3MB

Download
memory/1484-28-0x0000000004630000-0x0000000004873000-memory.dmp

Filesize
2.3MB

Download
memory/1484-29-0x0000000004630000-0x0000000004873000-memory.dmp

Filesize
2.3MB

Download