Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 11:40
Static task
static1
Behavioral task
behavioral1
Sample
Vidar.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Vidar.exe
Resource
win10v2004-20241007-en
General
-
Target
Vidar.exe
-
Size
1.2MB
-
MD5
2f79684349eb97b0e072d21a1b462243
-
SHA1
ed9b9eeafc5535802e498e78611f262055d736af
-
SHA256
9be494b1233a38c3d86ae075d3073ff4de88bc3064011554aa7c96d5ef068c04
-
SHA512
4d94ae4633f3bf489d1bc9613fc6028865064ec98f73b5e9e775f08ff55d246daeddce6a4a0a013a9d05e65edc726768c397d0382e5c35352144b5338d6467d3
-
SSDEEP
24576:9piXI12TyeC5m71MsNon4J0t1TBUV1E1HP9yjy3anIPXD:9pYaeC52KsNgFtxBUvWIaaKz
Malware Config
Extracted
vidar
11.4
7c37934964656ffad71319cfd3f70c69
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199794498376
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Signatures
-
Detect Vidar Stealer 6 IoCs
resource yara_rule behavioral2/memory/4308-6-0x0000000000400000-0x0000000000700000-memory.dmp family_vidar_v7 behavioral2/memory/4308-8-0x0000000000400000-0x0000000000700000-memory.dmp family_vidar_v7 behavioral2/memory/4308-11-0x0000000000400000-0x0000000000700000-memory.dmp family_vidar_v7 behavioral2/memory/4308-25-0x0000000000400000-0x0000000000700000-memory.dmp family_vidar_v7 behavioral2/memory/4308-26-0x0000000000400000-0x0000000000700000-memory.dmp family_vidar_v7 behavioral2/memory/4308-30-0x0000000000400000-0x0000000000700000-memory.dmp family_vidar_v7 -
Vidar family
-
Loads dropped DLL 1 IoCs
pid Process 4308 Applaunch.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2260 set thread context of 4308 2260 Vidar.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Applaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Applaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Applaunch.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3572 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2260 Vidar.exe 2260 Vidar.exe 2260 Vidar.exe 2260 Vidar.exe 4308 Applaunch.exe 4308 Applaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2260 Vidar.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2260 wrote to memory of 4828 2260 Vidar.exe 96 PID 2260 wrote to memory of 4828 2260 Vidar.exe 96 PID 2260 wrote to memory of 4828 2260 Vidar.exe 96 PID 2260 wrote to memory of 3924 2260 Vidar.exe 97 PID 2260 wrote to memory of 3924 2260 Vidar.exe 97 PID 2260 wrote to memory of 3924 2260 Vidar.exe 97 PID 2260 wrote to memory of 4308 2260 Vidar.exe 98 PID 2260 wrote to memory of 4308 2260 Vidar.exe 98 PID 2260 wrote to memory of 4308 2260 Vidar.exe 98 PID 2260 wrote to memory of 4308 2260 Vidar.exe 98 PID 2260 wrote to memory of 4308 2260 Vidar.exe 98 PID 2260 wrote to memory of 4308 2260 Vidar.exe 98 PID 2260 wrote to memory of 4308 2260 Vidar.exe 98 PID 2260 wrote to memory of 4308 2260 Vidar.exe 98 PID 2260 wrote to memory of 4308 2260 Vidar.exe 98 PID 2260 wrote to memory of 4308 2260 Vidar.exe 98 PID 4308 wrote to memory of 5104 4308 Applaunch.exe 99 PID 4308 wrote to memory of 5104 4308 Applaunch.exe 99 PID 4308 wrote to memory of 5104 4308 Applaunch.exe 99 PID 5104 wrote to memory of 3572 5104 cmd.exe 101 PID 5104 wrote to memory of 3572 5104 cmd.exe 101 PID 5104 wrote to memory of 3572 5104 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vidar.exe"C:\Users\Admin\AppData\Local\Temp\Vidar.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"2⤵PID:4828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"2⤵PID:3924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe" & rd /s /q "C:\ProgramData\CGIEGHJEGHJK" & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3572
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
676KB
MD5eda18948a989176f4eebb175ce806255
SHA1ff22a3d5f5fb705137f233c36622c79eab995897
SHA25681a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85