vidar | 5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe
Size

2.0MB
MD5

c09ced630ebb73f6486dfd4e269e9ec0
SHA1

c1eb6be0fcbb382ac8760e2a7fea9f3f2ff536b3
SHA256

5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148
SHA512

6b15a8e3c20975594a46244f8253d199eaa543d512a6f787ae91cb7aa1f66a0b38c49a7840109717712c66bf625c55971cb0274260f6a7d7cd8620a2b496699e
SSDEEP

49152:72EYTb8atv1orq+pEiSDTj1VyvBal2f/pWzLeO07B+Iy3AqMl1ZcK:qXbIrqH2f/pk07B+yqm1Z

Score

10^/10

vidar 088b67afccf93f8efd5916f6d6bc1185 credential_access discovery execution spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://my.cloudme.com/v1/ws2/:fullwin/:guide/guide.txt

Extracted

Family

vidar

Version

Botnet

088b67afccf93f8efd5916f6d6bc1185

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 15 IoCs

stealer

resource	yara_rule
behavioral2/memory/4444-36-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4444-40-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4444-38-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4444-47-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4444-48-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4444-56-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4444-57-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4444-65-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4444-66-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4444-82-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4444-83-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4444-107-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4444-108-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4444-118-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4444-119-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2788 created 3432	2788	InformationCheck.exe	56
PID 2788 created 3432	2788	InformationCheck.exe	56

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3652	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2788	InformationCheck.exe
3764	jsc.exe

Loads dropped DLL 2 IoCs

pid	Process
4444	RegAsm.exe
4444	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3764 set thread context of 4444	3764	jsc.exe	98

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3652	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InformationCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1176	timeout.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3652	powershell.exe
3652	powershell.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
4444	RegAsm.exe
4444	RegAsm.exe
4444	RegAsm.exe
4444	RegAsm.exe
4444	RegAsm.exe
4444	RegAsm.exe
4444	RegAsm.exe
4444	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1664	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe
1664	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe
1664	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1664	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe
1664	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe
1664	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe
2788	InformationCheck.exe
2788	InformationCheck.exe
2788	InformationCheck.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 3652	1664	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe	84
PID 1664 wrote to memory of 3652	1664	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe	84
PID 3652 wrote to memory of 2788	3652	powershell.exe	88
PID 3652 wrote to memory of 2788	3652	powershell.exe	88
PID 3652 wrote to memory of 2788	3652	powershell.exe	88
PID 2788 wrote to memory of 1592	2788	InformationCheck.exe	89
PID 2788 wrote to memory of 1592	2788	InformationCheck.exe	89
PID 2788 wrote to memory of 1592	2788	InformationCheck.exe	89
PID 2788 wrote to memory of 3764	2788	InformationCheck.exe	92
PID 2788 wrote to memory of 3764	2788	InformationCheck.exe	92
PID 2788 wrote to memory of 3764	2788	InformationCheck.exe	92
PID 2788 wrote to memory of 3764	2788	InformationCheck.exe	92
PID 2788 wrote to memory of 3764	2788	InformationCheck.exe	92
PID 3764 wrote to memory of 4444	3764	jsc.exe	98
PID 3764 wrote to memory of 4444	3764	jsc.exe	98
PID 3764 wrote to memory of 4444	3764	jsc.exe	98
PID 3764 wrote to memory of 4444	3764	jsc.exe	98
PID 3764 wrote to memory of 4444	3764	jsc.exe	98
PID 3764 wrote to memory of 4444	3764	jsc.exe	98
PID 3764 wrote to memory of 4444	3764	jsc.exe	98
PID 3764 wrote to memory of 4444	3764	jsc.exe	98
PID 3764 wrote to memory of 4444	3764	jsc.exe	98
PID 3764 wrote to memory of 4444	3764	jsc.exe	98
PID 4444 wrote to memory of 3416	4444	RegAsm.exe	100
PID 4444 wrote to memory of 3416	4444	RegAsm.exe	100
PID 4444 wrote to memory of 3416	4444	RegAsm.exe	100
PID 3416 wrote to memory of 1176	3416	cmd.exe	102
PID 3416 wrote to memory of 1176	3416	cmd.exe	102
PID 3416 wrote to memory of 1176	3416	cmd.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe
  "C:\Users\Admin\AppData\Local\Temp\5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\ProfileDetails.ps1"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Users\Public\InformationCheck.exe
      "C:\Users\Public\InformationCheck.exe" C:\Users\Public\Details.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\Admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1592
- C:\Users\Public\jsc.exe
  C:\Users\Public\jsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\JKEGIDGDGHCA" & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3416
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_var5ccxt.cgl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Details.au3

Filesize
3.3MB

MD5
1e8fe65246ee54e3ec5b9eefe3c891b7

SHA1
bd7ce8fe31095c01a0834584ac8ed8d20fc6da02

SHA256
a0c1c43af6fe8ec06904ff09a28768c1c63f48e10c0ae539ac098f57901a611c

SHA512
d355902edeca0373aaef8b25c35e07432004b43aa92e05597823a0ddc5e313f674efa5bd2d956aeef19c321fea061b50742f33715e6cf60e8ba6bd53bb4601c1

Download Submit
C:\Users\Public\InformationCheck.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Public\ProfileDetails.ps1

Filesize
373B

MD5
81084e8a8b48ee1f368f0d1617cece99

SHA1
2d28e1b4bb91ccbfdc12ed886d6e98f869942af1

SHA256
981f871075ccd50cc80571406a5c3dea1467b39df050c46fbf1bbe256c0cb990

SHA512
46298a61eaf57b644410540f45ba5e32f0404c90e0ea26ae1b161a61e2b1720892627e4e3038a244110133b560e01cea3644c636a9084fa7e4c20fb7721181c0

Download Submit
C:\Users\Public\jsc.exe

Filesize
46KB

MD5
94c8e57a80dfca2482dedb87b93d4fd9

SHA1
5729e6c7d2f5ab760f0093b9d44f8ac0f876a803

SHA256
39e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5

SHA512
1798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc

Download Submit
memory/3652-14-0x00007FFA38140000-0x00007FFA38C01000-memory.dmp

Filesize
10.8MB

Download
memory/3652-21-0x00007FFA38140000-0x00007FFA38C01000-memory.dmp

Filesize
10.8MB

Download
memory/3652-2-0x00007FFA38143000-0x00007FFA38145000-memory.dmp

Filesize
8KB

Download
memory/3652-13-0x00007FFA38140000-0x00007FFA38C01000-memory.dmp

Filesize
10.8MB

Download
memory/3652-12-0x0000021BFC720000-0x0000021BFC742000-memory.dmp

Filesize
136KB

Download
memory/3764-30-0x0000000000B10000-0x0000000000C6E000-memory.dmp

Filesize
1.4MB

Download
memory/3764-33-0x0000000005120000-0x00000000051BC000-memory.dmp

Filesize
624KB

Download
memory/3764-34-0x00000000054F0000-0x000000000560E000-memory.dmp

Filesize
1.1MB

Download
memory/3764-35-0x0000000002AC0000-0x0000000002AE2000-memory.dmp

Filesize
136KB

Download
memory/4444-38-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4444-47-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4444-48-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4444-49-0x000000001FD30000-0x000000001FF8F000-memory.dmp

Filesize
2.4MB

Download
memory/4444-56-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4444-57-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4444-65-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4444-66-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4444-82-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4444-83-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4444-40-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4444-36-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4444-107-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4444-108-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4444-118-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4444-119-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download