vidar | cf4ee8c87ce3d02911718d040784e9367773ac8c3f74106ec1227b675fd882e8

Analysis

max time kernel
10s
max time network
15s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-10-2024 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S0FTWARE.exe
Size

9.1MB
MD5

de40920ceb6061d4a5b62fd03a9438c5
SHA1

eb3d3f46aad57e868b9d4b2c07d24410bfd2ca85
SHA256

959e47ec654acce16b8df4466da97f8479d65b9a69a2c3603c3cb6856ceaecc0
SHA512

fa0ea73440e794092045fdada16fb702ae7e5962a09d2fa62d7873a1c211c9b55037cb34c15477cdaf6052a0d7443ce413cebe35e4785032718666246af712f6
SSDEEP

49152:kT2J6mHyA+c9OoSgI/QDBmdnR1ell3R4NqU8nq9LBWJYu5blvGRCnQoxYLaHFsjh:nI2yA+c9OUrDyymevvWSoxGd8IM7N

Score

10^/10

vidar 467d1313a0fbcd97b65a6f1d261c288f discovery stealer

Malware Config

Extracted

Family

vidar

Version

11.1

Botnet

467d1313a0fbcd97b65a6f1d261c288f

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/2784-3-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2784-4-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2784-7-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3796 set thread context of 2784	3796	S0FTWARE.exe	73

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0FTWARE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2784	BitLockerToGo.exe
2784	BitLockerToGo.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 2784	3796	S0FTWARE.exe	73
PID 3796 wrote to memory of 2784	3796	S0FTWARE.exe	73
PID 3796 wrote to memory of 2784	3796	S0FTWARE.exe	73
PID 3796 wrote to memory of 2784	3796	S0FTWARE.exe	73
PID 3796 wrote to memory of 2784	3796	S0FTWARE.exe	73
PID 3796 wrote to memory of 2784	3796	S0FTWARE.exe	73
PID 3796 wrote to memory of 2784	3796	S0FTWARE.exe	73
PID 3796 wrote to memory of 2784	3796	S0FTWARE.exe	73
PID 3796 wrote to memory of 2784	3796	S0FTWARE.exe	73
PID 3796 wrote to memory of 2784	3796	S0FTWARE.exe	73

C:\Users\Admin\AppData\Local\Temp\S0FTWARE.exe
"C:\Users\Admin\AppData\Local\Temp\S0FTWARE.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2784-0-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2784-3-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2784-4-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2784-7-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download