Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 11:40

General

  • Target

    Vidar.exe

  • Size

    1.2MB

  • MD5

    2f79684349eb97b0e072d21a1b462243

  • SHA1

    ed9b9eeafc5535802e498e78611f262055d736af

  • SHA256

    9be494b1233a38c3d86ae075d3073ff4de88bc3064011554aa7c96d5ef068c04

  • SHA512

    4d94ae4633f3bf489d1bc9613fc6028865064ec98f73b5e9e775f08ff55d246daeddce6a4a0a013a9d05e65edc726768c397d0382e5c35352144b5338d6467d3

  • SSDEEP

    24576:9piXI12TyeC5m71MsNon4J0t1TBUV1E1HP9yjy3anIPXD:9pYaeC52KsNgFtxBUvWIaaKz

Malware Config

Extracted

Family

vidar

Version

11.4

Botnet

7c37934964656ffad71319cfd3f70c69

C2

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

  • Detect Vidar Stealer 6 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Loads dropped DLL 1 IoCs
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Vidar.exe
    "C:\Users\Admin\AppData\Local\Temp\Vidar.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
      2⤵
        PID:4828
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        2⤵
          PID:3924
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
          2⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4308
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe" & rd /s /q "C:\ProgramData\CGIEGHJEGHJK" & exit
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5104
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 10
              4⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:3572

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\chrome.dll

        Filesize

        676KB

        MD5

        eda18948a989176f4eebb175ce806255

        SHA1

        ff22a3d5f5fb705137f233c36622c79eab995897

        SHA256

        81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

        SHA512

        160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

      • memory/2260-1-0x0000000000FD0000-0x0000000001112000-memory.dmp

        Filesize

        1.3MB

      • memory/2260-2-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

        Filesize

        10.8MB

      • memory/2260-3-0x000000001DFF0000-0x000000001E0F0000-memory.dmp

        Filesize

        1024KB

      • memory/2260-4-0x00007FFD7FAC3000-0x00007FFD7FAC5000-memory.dmp

        Filesize

        8KB

      • memory/2260-5-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

        Filesize

        10.8MB

      • memory/2260-0-0x00007FFD7FAC3000-0x00007FFD7FAC5000-memory.dmp

        Filesize

        8KB

      • memory/4308-6-0x0000000000400000-0x0000000000700000-memory.dmp

        Filesize

        3.0MB

      • memory/4308-11-0x0000000000400000-0x0000000000700000-memory.dmp

        Filesize

        3.0MB

      • memory/4308-25-0x0000000000400000-0x0000000000700000-memory.dmp

        Filesize

        3.0MB

      • memory/4308-26-0x0000000000400000-0x0000000000700000-memory.dmp

        Filesize

        3.0MB

      • memory/4308-8-0x0000000000400000-0x0000000000700000-memory.dmp

        Filesize

        3.0MB

      • memory/4308-30-0x0000000000400000-0x0000000000700000-memory.dmp

        Filesize

        3.0MB