vidar | baea231a54de7cc9e3d2613f313eaeefde8fc62ae66e283d7e15e887d2d8d7e6

Analysis

max time kernel
107s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ControlledAccessPoint.exe.zip
Size

466KB
MD5

1e2053d4cfc688bc63973f3d18b1e00f
SHA1

7529e740ae73ea65b507e68c2cad107725f78ad6
SHA256

baea231a54de7cc9e3d2613f313eaeefde8fc62ae66e283d7e15e887d2d8d7e6
SHA512

b7ced408d342b7948fe07aa18915724492d2dfafbdca4a8e4369959aafbcde8af88c34b0e76877486d15a66a41cb79407cdaa83cedf7092f59d1cac6d8f5286d
SSDEEP

6144:s8dj8NusAbUE04vKVvFnpvyakp3+NbOmAEH6kB7/yQB/2LTMqaPvncVq:s8GNn204vKrpvypR66mAEPB7/YMP3oq

Score

10^/10

vidar 2ee1445fc63bc20d0e7966867b13e0e1 discovery stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

2ee1445fc63bc20d0e7966867b13e0e1

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 8 IoCs

stealer

resource	yara_rule
behavioral2/memory/3192-12-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3192-11-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3192-36-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3192-37-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5088-48-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5088-49-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2708-56-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2708-57-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Executes dropped EXE 3 IoCs

pid	Process
4452	ControlledAccessPoint.exe
4928	ControlledAccessPoint.exe
4044	ControlledAccessPoint.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4452 set thread context of 3192	4452	ControlledAccessPoint.exe	116
PID 4928 set thread context of 5088	4928	ControlledAccessPoint.exe	120

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
4368	timeout.exe
2468	timeout.exe
2580	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3192	InstallUtil.exe
3192	InstallUtil.exe
4928	ControlledAccessPoint.exe
4928	ControlledAccessPoint.exe
4928	ControlledAccessPoint.exe
4928	ControlledAccessPoint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2356	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2356	7zFM.exe
Token: 35	2356	7zFM.exe
Token: SeSecurityPrivilege	2356	7zFM.exe
Token: SeDebugPrivilege	4928	ControlledAccessPoint.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2356	7zFM.exe
2356	7zFM.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 3192	4452	ControlledAccessPoint.exe	116
PID 4452 wrote to memory of 3192	4452	ControlledAccessPoint.exe	116
PID 4452 wrote to memory of 3192	4452	ControlledAccessPoint.exe	116
PID 4452 wrote to memory of 3192	4452	ControlledAccessPoint.exe	116
PID 4452 wrote to memory of 3192	4452	ControlledAccessPoint.exe	116
PID 4452 wrote to memory of 3192	4452	ControlledAccessPoint.exe	116
PID 4452 wrote to memory of 3192	4452	ControlledAccessPoint.exe	116
PID 4452 wrote to memory of 3192	4452	ControlledAccessPoint.exe	116
PID 4452 wrote to memory of 3192	4452	ControlledAccessPoint.exe	116
PID 4452 wrote to memory of 3192	4452	ControlledAccessPoint.exe	116
PID 4928 wrote to memory of 2724	4928	ControlledAccessPoint.exe	118
PID 4928 wrote to memory of 2724	4928	ControlledAccessPoint.exe	118
PID 4928 wrote to memory of 2724	4928	ControlledAccessPoint.exe	118
PID 4928 wrote to memory of 2056	4928	ControlledAccessPoint.exe	119
PID 4928 wrote to memory of 2056	4928	ControlledAccessPoint.exe	119
PID 4928 wrote to memory of 2056	4928	ControlledAccessPoint.exe	119
PID 4928 wrote to memory of 5088	4928	ControlledAccessPoint.exe	120
PID 4928 wrote to memory of 5088	4928	ControlledAccessPoint.exe	120
PID 4928 wrote to memory of 5088	4928	ControlledAccessPoint.exe	120
PID 4928 wrote to memory of 5088	4928	ControlledAccessPoint.exe	120
PID 4928 wrote to memory of 5088	4928	ControlledAccessPoint.exe	120
PID 4928 wrote to memory of 5088	4928	ControlledAccessPoint.exe	120
PID 4928 wrote to memory of 5088	4928	ControlledAccessPoint.exe	120
PID 4928 wrote to memory of 5088	4928	ControlledAccessPoint.exe	120
PID 4928 wrote to memory of 5088	4928	ControlledAccessPoint.exe	120
PID 4928 wrote to memory of 5088	4928	ControlledAccessPoint.exe	120

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ControlledAccessPoint.exe.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2356

C:\Users\Admin\Desktop\ControlledAccessPoint.exe
"C:\Users\Admin\Desktop\ControlledAccessPoint.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" & rd /s /q "C:\ProgramData\CAKFIJDHJEGI" & exit
    3⤵
    PID:4620
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:4368

C:\Users\Admin\Desktop\ControlledAccessPoint.exe
"C:\Users\Admin\Desktop\ControlledAccessPoint.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" & rd /s /q "C:\ProgramData\GCFBAKKJDBKJ" & exit
    3⤵
    PID:2336
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2468

C:\Users\Admin\Desktop\ControlledAccessPoint.exe
"C:\Users\Admin\Desktop\ControlledAccessPoint.exe"
1⤵
- Executes dropped EXE
PID:4044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" & rd /s /q "C:\ProgramData\GDAECAECFCAA" & exit
    3⤵
    PID:4460
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
2KB

MD5
6c42d82b8cda8f2105da9430c4250e7d

SHA1
dfa9e935882de605eda30fd4b2b08ec4c55f3ce9

SHA256
7e981e339820cf1df3eb685bae0387991c338a5a6608ce27b18f23d27bb49c43

SHA512
1dcd77002593cd8af0294f391a3700a9a4c6ad4b97fc9fcb9dc5aebc52e083733c745d50f1615670166fb1eaed5751ab6c1bfc8edbc2ab89e6e1cae8470115f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E3D1101CFA1A79AF305FD7C55E37649_A8EAC700FEE71EDD327E06BEAA0C7F96

Filesize
2KB

MD5
8b4ae1710ec7df91b0e38a8d2e90d512

SHA1
ad4ee5f6af3fe8a60f69726247a4fbdc31769837

SHA256
f201618bdcbe4ff5d3ae779763529cce95ce0113a98e2f9fb2fda59afa198426

SHA512
0ac3eaabb3c4144bc704c9a9aa1fe6b439e745367df6246cb0cc096dec13992f2dbe0afd857fe5c3366e3d7a5f78e9a59a5b21850d42ca65229bae600b61fa7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
9babaf83119fcf43e343619ea4b19570

SHA1
e8d7ebec638a9e040c56876571d75ade56ef4162

SHA256
4a979e39be150380ee99ca698b5a2b035471602f70585acf863d2d0275008f9f

SHA512
b923e9787cddf3043da32936710fa1b3f0ccf86d7c69cff591282a6b4d3cecde1827f0c5d60479fb46225784041bc91eff46747e80e4afeb7e20a20c8c7cd109

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
6babbe1761f699c83a6b6582b00c322b

SHA1
9153bf3c15de236985cc0ee21867c0b3bcf4f169

SHA256
7cb67802b572f9835ec53c420eaea5662baf4af18693dd0df9881dc9d02e2fd5

SHA512
84846974364a5b872e162c5bf07c50b5713ca4d5352a786822b08395530afe23278274f60a2fe5334a67cf30034941a8e710cd0fb0d6c22ceb8a589ec635ca24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
c5828e482fa2da6add952e635858f4e4

SHA1
22ca70493a069e877e20d7ec2782b36d124b3793

SHA256
918122636d85c953f2f57ebd3c3005344f5e142bc84fb92754e358d608a52c82

SHA512
a116a4b1af12196b6de8f88ee9628fbb67238fdb247a42ad590cd656f2a078eb5922b764072d6f493441ccd745be3a93e9432e8a84bb60e75c4f0145b37bfda5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E3D1101CFA1A79AF305FD7C55E37649_A8EAC700FEE71EDD327E06BEAA0C7F96

Filesize
474B

MD5
cfc566fbf77b3cd9af3c9daa6bcede85

SHA1
33fe6e07a2029fa261266d2ba223e76686ab2231

SHA256
549e49df20f9101183870f01df725cd0b5aa1693b1434f7dfe20efd687e18579

SHA512
82b1d0d3cc5bc9fbd9b822d598b6cec98a133f0bc690c0a5b9d4ed92572e939938b58031acf91975e64a8185d3335d783298ed080e0319419cefe527451c24be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
4ba3c948d9b1928e993dd984bad931fd

SHA1
0df0c6058956207575cb88b2a01cbdf2a1276c1e

SHA256
fd01aaac1aa35e8459d66b1da4a2a11e61b4a49788fa13b4951df45ef1fa6721

SHA512
75f96d8425fda3ca5ad24ed4cd766492cb381b84e41b51f48ca9cf2e56707d7e3469571fcd194247c993d9c78a680fb6748fc29876e1c64b7145bea319b824eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
d7415e744c2ff17e13d126db907a98b3

SHA1
c85ac1c767e58d9f8d4028bd96a027d989a19089

SHA256
286ffd3ea32d2961b9370e860766bb60f454d3a949713d5cc3b57197628d5480

SHA512
948101743c11cb5ce1a256a4965ae449eaa5070b1cfd024ef74f2ff71788fb543a9a1a58eb5ef92e25be3d0b18ec1af480012667a279edd0e3ca464e961e39fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ControlledAccessPoint.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\76561199780418869[1].htm

Filesize
34KB

MD5
29b6f537fcb61ee75b861c75323d907c

SHA1
af8012300e47802031969c9cdf17f9cf82156561

SHA256
8b9b357aafc07cfaeb913e4a878324e6e74cdc14c426bcfe3726e053b6b76580

SHA512
3b8c1af0607492b49ed99f230dbea3c883661d8a11aa9b6faba23bada6e7902ffcedb4d1e37fbec3f678125c394134f94e550195a08606ae78e33522b4c800e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UV4TX9UP\76561199780418869[1].htm

Filesize
34KB

MD5
eadb51f8cea67a17b6161fc474ae688d

SHA1
0223359549979386652c2ed038c14f7216cdaf9c

SHA256
fb4fed9f45ed192d826f36d1798df759e817521b4d24dff547653eee878edfef

SHA512
c4b91fed0ddd5fadfc49d3008c9abead3d0b802dbc640e618032e0d8694c73131592d7d9eb9ae4293c2d821b8383a0fa0150a381c313dd7ab115fb9c1bdea786

Download Submit
C:\Users\Admin\Desktop\ControlledAccessPoint.exe

Filesize
594KB

MD5
f275736a38a6b90825076e8d786ad5c5

SHA1
c0d862ceab728736580f043316cdc099b2ab8924

SHA256
b48eeab60494eb44d8d5ef10a87fd46ad1aa33fdcf7245efb636f69f2fd55f42

SHA512
b6662ee0426b45c5629808718613a687808deeaca692bb00d26ac5c9098b8a36a126ef80eca470db085aa5a84e38a9ee088a165cea821bf1226055a4fd842711

Download Submit
memory/2708-56-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2708-57-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3192-37-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3192-36-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3192-11-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3192-12-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4452-25-0x00007FFB3E9B0000-0x00007FFB3F471000-memory.dmp

Filesize
10.8MB

Download
memory/4452-10-0x00007FFB3E9B0000-0x00007FFB3F471000-memory.dmp

Filesize
10.8MB

Download
memory/4452-9-0x00007FFB3E9B3000-0x00007FFB3E9B5000-memory.dmp

Filesize
8KB

Download
memory/4452-7-0x000000001D510000-0x000000001D586000-memory.dmp

Filesize
472KB

Download
memory/4452-6-0x00007FFB3E9B0000-0x00007FFB3F471000-memory.dmp

Filesize
10.8MB

Download
memory/4452-4-0x00007FFB3E9B3000-0x00007FFB3E9B5000-memory.dmp

Filesize
8KB

Download
memory/4452-5-0x00000000002A0000-0x000000000033A000-memory.dmp

Filesize
616KB

Download
memory/5088-48-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5088-49-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download