vidar | 3dd24bfc6728959f084de536645e2bd20318e4a709b41cddb9245147922da1d0

General

Target

f5b693e65bb05bd6916e29cbb1adb1cc_JaffaCakes118.exe
Size

1.2MB
MD5

f5b693e65bb05bd6916e29cbb1adb1cc
SHA1

8ed9365deb17627a4d5ff4fb5a1467c8beab2031
SHA256

3dd24bfc6728959f084de536645e2bd20318e4a709b41cddb9245147922da1d0
SHA512

df8444288514c3da117ba5115ca357851af7ecdea8d73299a944a0694ffb7de57b39cee92fc827c994b550de58089316df5c5bcc5c96c43178dc5f57c6e0bf68
SSDEEP

24576:oaPADnvDHtyGnOJlIqeJC6e0ZVmPGZK40Nx1O97P6iaSVVu1kqE27:iDnrHIGnulIJC6L4uZf0D1BuV+EI

Score

10^/10

vidar 93 defense_evasion discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

24

Botnet

93

C2

http://wrangellse.com/

Attributes

profile_id
93

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/2720-38-0x0000000000400000-0x000000000048D000-memory.dmp	family_vidar
behavioral1/memory/2720-39-0x0000000000400000-0x000000000048D000-memory.dmp	family_vidar

Executes dropped EXE 2 IoCs

pid	Process
380	dwm.com
2688	dwm.com

Loads dropped DLL 5 IoCs

pid	Process
2092	f5b693e65bb05bd6916e29cbb1adb1cc_JaffaCakes118.exe
2092	f5b693e65bb05bd6916e29cbb1adb1cc_JaffaCakes118.exe
2092	f5b693e65bb05bd6916e29cbb1adb1cc_JaffaCakes118.exe
1760	cmd.exe
380	dwm.com

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Deobfuscate/Decode Files or Information 1 TTPs 2 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
1760	cmd.exe
2176	certutil.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 2720	2688	dwm.com	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwm.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwm.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5b693e65bb05bd6916e29cbb1adb1cc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2756	PING.EXE

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dllhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f5b693e65bb05bd6916e29cbb1adb1cc_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f5b693e65bb05bd6916e29cbb1adb1cc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dllhost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2756	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2688	dwm.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2092	f5b693e65bb05bd6916e29cbb1adb1cc_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
380	dwm.com
380	dwm.com
380	dwm.com
2688	dwm.com
2688	dwm.com
2688	dwm.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
380	dwm.com
380	dwm.com
380	dwm.com
2688	dwm.com
2688	dwm.com
2688	dwm.com

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 1760	2092	f5b693e65bb05bd6916e29cbb1adb1cc_JaffaCakes118.exe	30
PID 2092 wrote to memory of 1760	2092	f5b693e65bb05bd6916e29cbb1adb1cc_JaffaCakes118.exe	30
PID 2092 wrote to memory of 1760	2092	f5b693e65bb05bd6916e29cbb1adb1cc_JaffaCakes118.exe	30
PID 2092 wrote to memory of 1760	2092	f5b693e65bb05bd6916e29cbb1adb1cc_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2176	1760	cmd.exe	32
PID 1760 wrote to memory of 2176	1760	cmd.exe	32
PID 1760 wrote to memory of 2176	1760	cmd.exe	32
PID 1760 wrote to memory of 2176	1760	cmd.exe	32
PID 1760 wrote to memory of 380	1760	cmd.exe	33
PID 1760 wrote to memory of 380	1760	cmd.exe	33
PID 1760 wrote to memory of 380	1760	cmd.exe	33
PID 1760 wrote to memory of 380	1760	cmd.exe	33
PID 380 wrote to memory of 2688	380	dwm.com	35
PID 380 wrote to memory of 2688	380	dwm.com	35
PID 380 wrote to memory of 2688	380	dwm.com	35
PID 380 wrote to memory of 2688	380	dwm.com	35
PID 1760 wrote to memory of 2756	1760	cmd.exe	36
PID 1760 wrote to memory of 2756	1760	cmd.exe	36
PID 1760 wrote to memory of 2756	1760	cmd.exe	36
PID 1760 wrote to memory of 2756	1760	cmd.exe	36
PID 2688 wrote to memory of 2720	2688	dwm.com	37
PID 2688 wrote to memory of 2720	2688	dwm.com	37
PID 2688 wrote to memory of 2720	2688	dwm.com	37
PID 2688 wrote to memory of 2720	2688	dwm.com	37
PID 2688 wrote to memory of 2720	2688	dwm.com	37

C:\Users\Admin\AppData\Local\Temp\f5b693e65bb05bd6916e29cbb1adb1cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5b693e65bb05bd6916e29cbb1adb1cc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c <nul set /p ="M" > dwm.com & type SmdLPo.com >> dwm.com & del SmdLPo.com & certutil -decode zje.com F & dwm.com F & ping 127.0.0.1 -n 2 > nul & del zje.com & del F
  2⤵
  - Loads dropped DLL
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\certutil.exe
    certutil -decode zje.com F
    3⤵
    - Deobfuscate/Decode Files or Information
    - System Location Discovery: System Language Discovery
    PID:2176
- - C:\Users\Admin\AppData\Local\Temp\dwm.com
    dwm.com F
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Users\Admin\AppData\Local\Temp\dwm.com
      C:\Users\Admin\AppData\Local\Temp\dwm.com F
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\dllhost.exe
        
        "C:\Windows\SysWOW64\dllhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

1

T1140

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F

Filesize
224KB

MD5
d82d5bba1efff5f3f16c44fa7367d138

SHA1
2eec25a2b861817104e5b099f0e46d8a89a04ef8

SHA256
a8f444fa060af6fa08e6bb49477459562afceb382363cc6319c0c752c65a1621

SHA512
24bf57cb3c5945e3f5c4027c4d4bbf627ff2dfac6a9f351ff22fbdad82d1dae321313117aa029bc87aefada7a0565a6b991112bc6550a003f58e44d6e4a66b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmdLPo.com

Filesize
872KB

MD5
d86ab2aeeac2553c7857ece4492eda5d

SHA1
0828db56b556f3f0486a9de9d2c728216035e8e6

SHA256
8861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436

SHA512
8c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vFaqy.com

Filesize
541KB

MD5
b6fb845a94115b7583ecc5223b45f8ef

SHA1
780294d122e9e4f520173ff36c31bd08ba1df259

SHA256
99870c51d7f5d3dde7314f9b7df5755b59bbc48f6c483dcc3de0fa788553a02e

SHA512
0d69c3243a6d50fae320b20e8f1d4b71437b8a13b354b4146fd2104998e0fee34202382d3d6a0d52735f596a104576f0f1862ab1777dcaaa84ec63005252d6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zje.com

Filesize
308KB

MD5
cdfc8eee32871d7c15ad00e135dc4a48

SHA1
92d9341cc1fc013325504b5abd0318df059869a6

SHA256
5a8257ee7b6d4808356e561a7525f24b006337bb9d0d106cd24239ccf8ca6ca6

SHA512
237b18708fc994771ada63b52427af556e3a9c9279553164a8bf5b394b894413fad23f1a70da85eff53e23d3822ffbc38aae66da233572bc21897e564e9558fe

Download Submit
\Users\Admin\AppData\Local\Temp\dwm.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC7C3.tmp\LUwrIrYO.dll

Filesize
6KB

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC7C3.tmp\QQxlhlSY.dll

Filesize
68KB

MD5
44e5c77cae3ae434d1e4e619bdb1c39b

SHA1
9988f020eac45207d148668227b6819a38bdafa0

SHA256
326c406116026019a41c94b2e6b4c1061154f3bc9a395638063dae349f8a7579

SHA512
c3e40499d1296bebd2b1a770d9cd1f025859963a0f6dff002eb336f069f057ac4b3d2f5819232af6d2802ba1a3770f62440136030eb37355fa6f5b6ee0bc0470

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC7C3.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/2720-38-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2720-39-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing