vidar | bcb04dd0b21bb1bea097a7b8d8f95429c657ce8db622a5c5d3b82f157ab6c6a0

General

Target

Setup.exe
Size

202KB
MD5

64179e64675e822559cac6652298bdfc
SHA1

cceed3b2441146762512918af7bf7f89fb055583
SHA256

c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
SHA512

ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280
SSDEEP

3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw

Score

10^/10

vidar a5215640c3d06b049aee58cc78e4057d discovery stealer

Malware Config

Extracted

Family

vidar

Version

8.3

Botnet

a5215640c3d06b049aee58cc78e4057d

C2

https://78.47.78.87

https://steamcommunity.com/profiles/76561199651834633

https://t.me/raf6ik

Attributes

profile_id_v2
a5215640c3d06b049aee58cc78e4057d
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Signatures

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/2456-27-0x00000000006D0000-0x0000000000E18000-memory.dmp	family_vidar_v7
behavioral1/memory/2456-34-0x00000000006D0000-0x0000000000E18000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 2536	2376	Setup.exe	30

Loads dropped DLL 7 IoCs

pid	Process
2536	more.com
2456	GraphicsFillRect.au3
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2796	2456	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GraphicsFillRect.au3
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2376	Setup.exe
2376	Setup.exe
2536	more.com
2536	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2376	Setup.exe
2536	more.com

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2536	2376	Setup.exe	30
PID 2376 wrote to memory of 2536	2376	Setup.exe	30
PID 2376 wrote to memory of 2536	2376	Setup.exe	30
PID 2376 wrote to memory of 2536	2376	Setup.exe	30
PID 2376 wrote to memory of 2536	2376	Setup.exe	30
PID 2536 wrote to memory of 2456	2536	more.com	33
PID 2536 wrote to memory of 2456	2536	more.com	33
PID 2536 wrote to memory of 2456	2536	more.com	33
PID 2536 wrote to memory of 2456	2536	more.com	33
PID 2536 wrote to memory of 2456	2536	more.com	33
PID 2536 wrote to memory of 2456	2536	more.com	33
PID 2456 wrote to memory of 2796	2456	GraphicsFillRect.au3	34
PID 2456 wrote to memory of 2796	2456	GraphicsFillRect.au3	34
PID 2456 wrote to memory of 2796	2456	GraphicsFillRect.au3	34
PID 2456 wrote to memory of 2796	2456	GraphicsFillRect.au3	34

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\GraphicsFillRect.au3
    C:\Users\Admin\AppData\Local\Temp\GraphicsFillRect.au3
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 128
      4⤵
      Loads dropped DLL
      Program crash
      PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7b4b4b2b

Filesize
6.8MB

MD5
dd1b8432caff27d5cdc3014d28284c33

SHA1
185e5e09ece937964fe1b2689c00a3b294f33ca5

SHA256
b7ed972a3c15cff447f8af48e38e0858f9a9133e434d2bd35d616f7a6c4d6895

SHA512
46d0b2f1b7f73c0095a786638fbefb8fc004742f612ef9753c3f396167f9b097d687e7c08f1fb2e9105ea24b2c661ee72cdbafd81c61fc18b7ad2427481f3ef3

Download Submit
\Users\Admin\AppData\Local\Temp\GraphicsFillRect.au3

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
memory/2376-12-0x0000000074691000-0x00000000746A3000-memory.dmp

Filesize
72KB

Download
memory/2376-0-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/2376-9-0x00000000746A2000-0x00000000746A3000-memory.dmp

Filesize
4KB

Download
memory/2376-10-0x0000000074691000-0x00000000746A3000-memory.dmp

Filesize
72KB

Download
memory/2456-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2456-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2456-27-0x00000000006D0000-0x0000000000E18000-memory.dmp

Filesize
7.3MB

Download
memory/2456-34-0x00000000006D0000-0x0000000000E18000-memory.dmp

Filesize
7.3MB

Download
memory/2536-13-0x0000000074690000-0x0000000074804000-memory.dmp

Filesize
1.5MB

Download
memory/2536-15-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/2536-17-0x0000000074690000-0x0000000074804000-memory.dmp

Filesize
1.5MB

Download
memory/2536-18-0x0000000074690000-0x0000000074804000-memory.dmp

Filesize
1.5MB

Download
memory/2536-25-0x0000000074690000-0x0000000074804000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing