vidar | 437351bc383d4274bc279d699eabdad546d6d68760bf04372a0c0430ad0ca41b

General

Target

TradingView Premium Desktop.exe
Size

780.2MB
MD5

670113fe6bf7fbcd6006f0d04d3daa72
SHA1

9ca0920c3e73e08c7c585398bdb0756f0fa0f5ae
SHA256

437351bc383d4274bc279d699eabdad546d6d68760bf04372a0c0430ad0ca41b
SHA512

e5a2b925dde644a2d69c6b4dd763f2ca1be778d754431a4b27fe093f230234f18f3ef8b92060e9b290f31e4d59ea33215c803064b6a1db33195f654516cfffd9
SSDEEP

196608:Raed/aHefyyj4OfTL7SSGnh/Q7cq2hKSIv3/5DLz:Raw/akxH7O/CoKPx

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Signatures

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/3384-9-0x00000000006F0000-0x0000000001A49000-memory.dmp	family_vidar_v7
behavioral2/memory/3384-44-0x00000000006F0000-0x0000000001A49000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DGCGDB.exe

Executes dropped EXE 11 IoCs

pid	Process
1992	DGCGDB.exe
552	DGCGDB.exe
1596	DGCGDB.exe
4976	DGCGDB.exe
2952	DGCGDB.exe
3512	DGCGDB.exe
1704	DGCGDB.exe
1416	DGCGDB.exe
3980	DGCGDB.exe
2776	DGCGDB.exe
5056	DGCGDB.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TradingView Premium Desktop.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TradingView Premium Desktop.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TradingView Premium Desktop.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1136	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3384	TradingView Premium Desktop.exe
3384	TradingView Premium Desktop.exe
3384	TradingView Premium Desktop.exe
3384	TradingView Premium Desktop.exe
3384	TradingView Premium Desktop.exe
3384	TradingView Premium Desktop.exe
3384	TradingView Premium Desktop.exe
3384	TradingView Premium Desktop.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 1992	3384	TradingView Premium Desktop.exe	104
PID 3384 wrote to memory of 1992	3384	TradingView Premium Desktop.exe	104
PID 1992 wrote to memory of 552	1992	DGCGDB.exe	106
PID 1992 wrote to memory of 552	1992	DGCGDB.exe	106
PID 1992 wrote to memory of 1596	1992	DGCGDB.exe	107
PID 1992 wrote to memory of 1596	1992	DGCGDB.exe	107
PID 1992 wrote to memory of 4976	1992	DGCGDB.exe	108
PID 1992 wrote to memory of 4976	1992	DGCGDB.exe	108
PID 1992 wrote to memory of 2952	1992	DGCGDB.exe	109
PID 1992 wrote to memory of 2952	1992	DGCGDB.exe	109
PID 1992 wrote to memory of 3512	1992	DGCGDB.exe	110
PID 1992 wrote to memory of 3512	1992	DGCGDB.exe	110
PID 1992 wrote to memory of 1704	1992	DGCGDB.exe	111
PID 1992 wrote to memory of 1704	1992	DGCGDB.exe	111
PID 1992 wrote to memory of 1416	1992	DGCGDB.exe	112
PID 1992 wrote to memory of 1416	1992	DGCGDB.exe	112
PID 1992 wrote to memory of 3980	1992	DGCGDB.exe	113
PID 1992 wrote to memory of 3980	1992	DGCGDB.exe	113
PID 1992 wrote to memory of 2776	1992	DGCGDB.exe	114
PID 1992 wrote to memory of 2776	1992	DGCGDB.exe	114
PID 1992 wrote to memory of 5056	1992	DGCGDB.exe	115
PID 1992 wrote to memory of 5056	1992	DGCGDB.exe	115
PID 1992 wrote to memory of 4564	1992	DGCGDB.exe	116
PID 1992 wrote to memory of 4564	1992	DGCGDB.exe	116
PID 4564 wrote to memory of 1136	4564	cmd.exe	118
PID 4564 wrote to memory of 1136	4564	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\TradingView Premium Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\TradingView Premium Desktop.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3384
- C:\ProgramData\DGCGDB.exe
  C:\ProgramData\\DGCGDB.exe https://apklight.com/clips.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\ProgramData\DGCGDB.exe
    C:\ProgramData\DGCGDB.exe
    3⤵
    - Executes dropped EXE
    PID:552
- - C:\ProgramData\DGCGDB.exe
    C:\ProgramData\DGCGDB.exe
    3⤵
    - Executes dropped EXE
    PID:1596
- - C:\ProgramData\DGCGDB.exe
    C:\ProgramData\DGCGDB.exe
    3⤵
    - Executes dropped EXE
    PID:4976
- - C:\ProgramData\DGCGDB.exe
    C:\ProgramData\DGCGDB.exe
    3⤵
    - Executes dropped EXE
    PID:2952
- - C:\ProgramData\DGCGDB.exe
    C:\ProgramData\DGCGDB.exe
    3⤵
    - Executes dropped EXE
    PID:3512
- - C:\ProgramData\DGCGDB.exe
    C:\ProgramData\DGCGDB.exe
    3⤵
    - Executes dropped EXE
    PID:1704
- - C:\ProgramData\DGCGDB.exe
    C:\ProgramData\DGCGDB.exe
    3⤵
    - Executes dropped EXE
    PID:1416
- - C:\ProgramData\DGCGDB.exe
    C:\ProgramData\DGCGDB.exe
    3⤵
    - Executes dropped EXE
    PID:3980
- - C:\ProgramData\DGCGDB.exe
    C:\ProgramData\DGCGDB.exe
    3⤵
    - Executes dropped EXE
    PID:2776
- - C:\ProgramData\DGCGDB.exe
    C:\ProgramData\DGCGDB.exe
    3⤵
    - Executes dropped EXE
    PID:5056
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\ProgramData\DGCGDB.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\system32\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DGCGDB.exe

Filesize
7KB

MD5
1fbd01ee768b7c4abfd2783a4707a072

SHA1
15288415ec755c2673da3c716386abfdd35aaaed

SHA256
0a6b558dc092b4f6bce802a6407fe468f7b973c82db36e2d7a0d0db5635838b4

SHA512
200e9ddc345d9a9014e4b8db1db4647ab247491de20deea02ee65a032f62c67cf46fa46fff19b2e2059ba9274a24d9ad12c55b14af9da2ccfb355a40875a8c5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3DWZNJ32\clips[1].exe

Filesize
3.2MB

MD5
591e2268cf72d349e9b46eddeb65db1e

SHA1
682f4e6840ff963a142e551a9ffc522a50826d61

SHA256
b94f9fa3f084671c30fd0f2c660d580046a480a8ae2790d6da29ab092973d36b

SHA512
f3a537dd310c41f491589d90dc18e97bff5bb16358ccce104ba1fd10d6c026dcddc955c65a19b269fe3a88d0b6cff94e71a68300107278b152c0b831e4c34567

Download Submit
memory/3384-6-0x000000000D980000-0x000000000D981000-memory.dmp

Filesize
4KB

Download
memory/3384-3-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/3384-4-0x000000000D960000-0x000000000D961000-memory.dmp

Filesize
4KB

Download
memory/3384-5-0x000000000D970000-0x000000000D971000-memory.dmp

Filesize
4KB

Download
memory/3384-0-0x00000000006F0000-0x0000000001A49000-memory.dmp

Filesize
19.3MB

Download
memory/3384-7-0x000000000D990000-0x000000000D991000-memory.dmp

Filesize
4KB

Download
memory/3384-8-0x000000000D9A0000-0x000000000D9A1000-memory.dmp

Filesize
4KB

Download
memory/3384-9-0x00000000006F0000-0x0000000001A49000-memory.dmp

Filesize
19.3MB

Download
memory/3384-19-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3384-43-0x0000000000E5E000-0x00000000011FE000-memory.dmp

Filesize
3.6MB

Download
memory/3384-44-0x00000000006F0000-0x0000000001A49000-memory.dmp

Filesize
19.3MB

Download
memory/3384-1-0x0000000000E5E000-0x00000000011FE000-memory.dmp

Filesize
3.6MB

Download
memory/3384-2-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads