vidar | a5b080b113b0e13d9ceb14e8a542473d36e33c4bee8c90dd98edb666eaede9f6

General

Target

2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe
Size

5.2MB
MD5

4a41b51ad45e7afe2361a0e6a2767ead
SHA1

9039ebdb8436cb16b4e05d76528cffb09ed2818d
SHA256

a5b080b113b0e13d9ceb14e8a542473d36e33c4bee8c90dd98edb666eaede9f6
SHA512

8f4dff537209e28f7dec4928fd73610bf5155046d2864c55b44ba70a9c4ad57e15905b705ecd4018203b412100cfa2e62fcbadd7e87478bc8b0c19f645adf645
SSDEEP

49152:f37SamZxElS+RgCSnA9Z7zuwNWwbY0HZzMOhy5jT5iYpeF+SVVOs5phn5Qvx1m:frSZDs6lA9FawpzClUl5pV

Score

10^/10

vidar credential_access discovery stealer

Malware Config

Signatures

Detect Vidar Stealer 7 IoCs

stealer

resource	yara_rule
behavioral2/memory/3096-4-0x0000000000600000-0x0000000000839000-memory.dmp	family_vidar_v7
behavioral2/memory/3096-7-0x0000000000600000-0x0000000000839000-memory.dmp	family_vidar_v7
behavioral2/memory/3096-2-0x0000000000600000-0x0000000000839000-memory.dmp	family_vidar_v7
behavioral2/memory/3096-8-0x0000000000600000-0x0000000000839000-memory.dmp	family_vidar_v7
behavioral2/memory/3096-15-0x0000000000600000-0x0000000000839000-memory.dmp	family_vidar_v7
behavioral2/memory/3096-16-0x0000000000600000-0x0000000000839000-memory.dmp	family_vidar_v7
behavioral2/memory/3096-17-0x0000000000600000-0x0000000000839000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4536 set thread context of 3096	4536	2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe	95

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4440	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3096	BitLockerToGo.exe
3096	BitLockerToGo.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 3096	4536	2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe	95
PID 4536 wrote to memory of 3096	4536	2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe	95
PID 4536 wrote to memory of 3096	4536	2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe	95
PID 4536 wrote to memory of 3096	4536	2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe	95
PID 4536 wrote to memory of 3096	4536	2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe	95
PID 4536 wrote to memory of 3096	4536	2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe	95
PID 4536 wrote to memory of 3096	4536	2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe	95
PID 4536 wrote to memory of 3096	4536	2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe	95
PID 4536 wrote to memory of 3096	4536	2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe	95
PID 4536 wrote to memory of 3096	4536	2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe	95
PID 3096 wrote to memory of 3228	3096	BitLockerToGo.exe	97
PID 3096 wrote to memory of 3228	3096	BitLockerToGo.exe	97
PID 3096 wrote to memory of 3228	3096	BitLockerToGo.exe	97
PID 3228 wrote to memory of 4440	3228	cmd.exe	99
PID 3228 wrote to memory of 4440	3228	cmd.exe	99
PID 3228 wrote to memory of 4440	3228	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-21_4a41b51ad45e7afe2361a0e6a2767ead_frostygoop_poet-rat_snatch.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\2DBI5PPH4EUA" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3228
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3096-0-0x0000000000600000-0x0000000000839000-memory.dmp

Filesize
2.2MB

Download
memory/3096-4-0x0000000000600000-0x0000000000839000-memory.dmp

Filesize
2.2MB

Download
memory/3096-7-0x0000000000600000-0x0000000000839000-memory.dmp

Filesize
2.2MB

Download
memory/3096-2-0x0000000000600000-0x0000000000839000-memory.dmp

Filesize
2.2MB

Download
memory/3096-8-0x0000000000600000-0x0000000000839000-memory.dmp

Filesize
2.2MB

Download
memory/3096-15-0x0000000000600000-0x0000000000839000-memory.dmp

Filesize
2.2MB

Download
memory/3096-16-0x0000000000600000-0x0000000000839000-memory.dmp

Filesize
2.2MB

Download
memory/3096-17-0x0000000000600000-0x0000000000839000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing