vidar | da1430adcfc60f0ba6c3916b066fd3eec155c2d58667c173d4905e005ae9b40d

Analysis

max time kernel
33s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

782.1MB
MD5

944c5dcfee6a31997bc071714acc16ac
SHA1

95ecd1cc21dbcd4c53bc8d343de77141a8537464
SHA256

021d312bfced31460133b3273160724c206be47ca14d77e5501e74745bc98b5e
SHA512

9c46fd3e45d987882d945411681ec41593246a896e19b78b0e4e087c5baa6bc9e3f3a3f897c6d2262aa408d38db09f67b50513fc5f5f49d22baae3e693fdd56b
SSDEEP

98304:Xup40mo66VtJQoAr/uHBHqCUDBMbl+qEg23ojfeyr4KTZJcBcBcBcBcBcBcBcBcB:w40mz6VhAr/aUDBMB5EDA5rbY

Score

10^/10

vidar 5e9aa6efe02ef7be95c93d26d4d759c6 discovery stealer

Malware Config

Extracted

Family

vidar

Version

7.4

Botnet

5e9aa6efe02ef7be95c93d26d4d759c6

https://t.me/lve24v

https://steamcommunity.com/profiles/76561199612212584

Attributes

profile_id_v2
5e9aa6efe02ef7be95c93d26d4d759c6
user_agent
Mozilla/5.0 (X11; Kubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0

Signatures

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/60-5-0x00000000008F0000-0x00000000012AB000-memory.dmp	family_vidar_v7
behavioral1/memory/60-7-0x00000000008F0000-0x00000000012AB000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4376	60	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
60	Setup.exe
60	Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:60
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1776
  2⤵
  - Program crash
  PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 60 -ip 60
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-0-0x00000000008F0000-0x00000000012AB000-memory.dmp

Filesize
9.7MB

Download
memory/60-1-0x0000000000B29000-0x0000000000D8F000-memory.dmp

Filesize
2.4MB

Download
memory/60-2-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/60-5-0x00000000008F0000-0x00000000012AB000-memory.dmp

Filesize
9.7MB

Download
memory/60-7-0x00000000008F0000-0x00000000012AB000-memory.dmp

Filesize
9.7MB

Download
memory/60-8-0x0000000000B29000-0x0000000000D8F000-memory.dmp

Filesize
2.4MB

Download