vidar | ae4652c4433d845665b44f36ba2e4188ca5e33a1df4ea3183af5f3cfbc0d3614

General

Target

25f5bb6b3ac38fe55b9e09e198ec3a65.exe
Size

598KB
MD5

25f5bb6b3ac38fe55b9e09e198ec3a65
SHA1

f60a23765859b7b1add8124c74d382b50484925d
SHA256

ae4652c4433d845665b44f36ba2e4188ca5e33a1df4ea3183af5f3cfbc0d3614
SHA512

c7f28ecaf9e9bcbd96b06beb7164f6d8374bec856e0064fadc42ea68491530dd0462949ad5ed78ed1b9a89c73b4bfd1e6bd3b7a7bd8218dcf6557db362d6c35e
SSDEEP

12288:E8yf0yrFNqkBdKYN3+xAAgZsltw5bTOt4g0sht8Gj64fPsETEO:E8EfrF7xF+xZwf00shp+dmt

Score

10^/10

vidar 8ecc9c7eaebfdf2a8cc0586d7419d6ea discovery stealer

Malware Config

Extracted

Family

vidar

Botnet

8ecc9c7eaebfdf2a8cc0586d7419d6ea

C2

https://t.me/maslengdsa

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 7 IoCs

stealer

resource	yara_rule
behavioral2/memory/3936-1-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3936-3-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3936-6-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3936-18-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3936-19-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3936-29-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3936-30-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4356 set thread context of 3936	4356	25f5bb6b3ac38fe55b9e09e198ec3a65.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3768	4356	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25f5bb6b3ac38fe55b9e09e198ec3a65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3936	MSBuild.exe
3936	MSBuild.exe
3936	MSBuild.exe
3936	MSBuild.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3936	4356	25f5bb6b3ac38fe55b9e09e198ec3a65.exe	83
PID 4356 wrote to memory of 3936	4356	25f5bb6b3ac38fe55b9e09e198ec3a65.exe	83
PID 4356 wrote to memory of 3936	4356	25f5bb6b3ac38fe55b9e09e198ec3a65.exe	83
PID 4356 wrote to memory of 3936	4356	25f5bb6b3ac38fe55b9e09e198ec3a65.exe	83
PID 4356 wrote to memory of 3936	4356	25f5bb6b3ac38fe55b9e09e198ec3a65.exe	83
PID 4356 wrote to memory of 3936	4356	25f5bb6b3ac38fe55b9e09e198ec3a65.exe	83
PID 4356 wrote to memory of 3936	4356	25f5bb6b3ac38fe55b9e09e198ec3a65.exe	83
PID 4356 wrote to memory of 3936	4356	25f5bb6b3ac38fe55b9e09e198ec3a65.exe	83
PID 4356 wrote to memory of 3936	4356	25f5bb6b3ac38fe55b9e09e198ec3a65.exe	83
PID 4356 wrote to memory of 3936	4356	25f5bb6b3ac38fe55b9e09e198ec3a65.exe	83

C:\Users\Admin\AppData\Local\Temp\25f5bb6b3ac38fe55b9e09e198ec3a65.exe
"C:\Users\Admin\AppData\Local\Temp\25f5bb6b3ac38fe55b9e09e198ec3a65.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 292
  2⤵
  - Program crash
  PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4356 -ip 4356
1⤵
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3936-1-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3936-3-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3936-6-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3936-18-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3936-19-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3936-22-0x0000000022530000-0x000000002278F000-memory.dmp

Filesize
2.4MB

Download
memory/3936-29-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3936-30-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4356-0-0x0000000000CDF000-0x0000000000CE1000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing