vidar | 093ba86ff95c854bf65b00fa0cdf654f9785c4a5695a172a1e696d06bbe29952

General

Target

Setup.exe
Size

202KB
MD5

64179e64675e822559cac6652298bdfc
SHA1

cceed3b2441146762512918af7bf7f89fb055583
SHA256

c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
SHA512

ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280
SSDEEP

3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw

Score

10^/10

vidar 79a8b6682d9ea00c2d6adf6f75870831 discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

vidar

Version

7.7

Botnet

79a8b6682d9ea00c2d6adf6f75870831

C2

https://88.198.107.6

https://t.me/newagev

https://steamcommunity.com/profiles/76561199631487327

Attributes

profile_id_v2
79a8b6682d9ea00c2d6adf6f75870831

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/3460-23-0x0000000001100000-0x0000000001841000-memory.dmp	family_vidar_v7
behavioral2/memory/3460-27-0x0000000001100000-0x0000000001841000-memory.dmp	family_vidar_v7
behavioral2/memory/3460-41-0x0000000001100000-0x0000000001841000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 3916	2592	Setup.exe	82

Loads dropped DLL 1 IoCs

pid	Process
3460	openssl.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3476	3460	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openssl.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Setup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2592	Setup.exe
2592	Setup.exe
3916	netsh.exe
3916	netsh.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2592	Setup.exe
3916	netsh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2592	Setup.exe
Token: SeTakeOwnershipPrivilege	2592	Setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 3916	2592	Setup.exe	82
PID 2592 wrote to memory of 3916	2592	Setup.exe	82
PID 2592 wrote to memory of 3916	2592	Setup.exe	82
PID 2592 wrote to memory of 3916	2592	Setup.exe	82
PID 3916 wrote to memory of 3460	3916	netsh.exe	84
PID 3916 wrote to memory of 3460	3916	netsh.exe	84
PID 3916 wrote to memory of 3460	3916	netsh.exe	84
PID 3916 wrote to memory of 3460	3916	netsh.exe	84
PID 3916 wrote to memory of 3460	3916	netsh.exe	84

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\openssl.exe
    C:\Users\Admin\AppData\Local\Temp\openssl.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 876
      4⤵
      Program crash
      PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3460 -ip 3460
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c6e2d76d

Filesize
6.4MB

MD5
78586823a349bd1f54d53a0b7b02b359

SHA1
275a8abd6d2930dc19f06f7054c61d4ef1732102

SHA256
3c6360a92f5e887af2f0c62c47ecda3f22ba6ad70c183428ce072e1989a53b84

SHA512
2c237c9145eda5ab61e35017f780e1c37a5baa5393ce9dcd0cf3d4e49f72df07093ada46ef98fb1b7fd9ec24a34b09fb31925f9faa775fcb148eec5a5498268d

Download Submit
C:\Users\Admin\AppData\Local\Temp\openssl.exe

Filesize
609KB

MD5
7341914540d5ddd0a3f291e41b3a4c31

SHA1
6915a68474a2a9c7db4b27309fdcde894237984b

SHA256
33bb544e80b1c924573090d54c282d7c11d8eabf737ddaf857c98ec1a19c2299

SHA512
0db9518ea24fc8c9a991d65b6ff10be01bf059e8dfbd23c08546c0bff361a6df5f86959015afd7368e7c29da126e7de8b13ba031f6344edc98641408144825ac

Download Submit
memory/2592-1-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-9-0x0000000073912000-0x0000000073913000-memory.dmp

Filesize
4KB

Download
memory/2592-10-0x0000000073900000-0x0000000073A7B000-memory.dmp

Filesize
1.5MB

Download
memory/2592-11-0x0000000073900000-0x0000000073A7B000-memory.dmp

Filesize
1.5MB

Download
memory/2592-0-0x0000000073900000-0x0000000073A7B000-memory.dmp

Filesize
1.5MB

Download
memory/3460-23-0x0000000001100000-0x0000000001841000-memory.dmp

Filesize
7.3MB

Download
memory/3460-41-0x0000000001100000-0x0000000001841000-memory.dmp

Filesize
7.3MB

Download
memory/3460-27-0x0000000001100000-0x0000000001841000-memory.dmp

Filesize
7.3MB

Download
memory/3460-26-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-18-0x0000000073901000-0x000000007390F000-memory.dmp

Filesize
56KB

Download
memory/3916-24-0x000000007390E000-0x000000007390F000-memory.dmp

Filesize
4KB

Download
memory/3916-20-0x0000000073901000-0x000000007390F000-memory.dmp

Filesize
56KB

Download
memory/3916-17-0x000000007390E000-0x000000007390F000-memory.dmp

Filesize
4KB

Download
memory/3916-15-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-13-0x0000000073901000-0x000000007390F000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads