vidar | 2efc288f7eca7bc4f1d38b06adcaf6ad70dbf4dc258350ff8621f0a3b378d392

Analysis

max time kernel
137s
max time network
135s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22-12-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup-app.7z
Size

116.3MB
MD5

19a53c88b57e9f330250bd8a72ff6694
SHA1

31fcff8753ee1ce1738ae3d040e1cca293aa4cb1
SHA256

2efc288f7eca7bc4f1d38b06adcaf6ad70dbf4dc258350ff8621f0a3b378d392
SHA512

ee14bc08cc3e7e4ec28d442ade22b16b195ff17624cd663dbc7b9cab6d5e38efea8168fad167c5d9c87c12168a013e8878399a46e49c428a656d86bf91ccbba0
SSDEEP

3145728:RwxAsSR/f8ntHCrjS9F10RN0WnfLD40KSdVEkSzjRdpsKo:AAsOH6tSS9FG4aDxKSdV0RjE

Score

10^/10

vidar credential_access discovery execution spyware stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://servivemirctosoftliveanble.top/kKLFHRRKLFKJLj34345734786frhjrelkwefhjKJjhfjwkgjkJFRKFRHJ342334KLFJK/lica

exe.dropper

https://servivemirctosoftliveanble.top/kKLFHRRKLFKJLj34345734786frhjrelkwefhjKJjhfjwkgjkJFRKFRHJ342334KLFJK/lica

Signatures

Detect Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral4/memory/2296-348-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7
behavioral4/memory/2296-350-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7
behavioral4/memory/2296-359-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7
behavioral4/memory/2296-360-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1756	powershell.exe
5	1756	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4032	powershell.exe
1756	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
3796	Setup.exe
820	7za.exe
2120	PH5OZJ0F.exe
2296	PH5OZJ0F.exe

Loads dropped DLL 1 IoCs

pid	Process
3796	Setup.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2120 set thread context of 2296	2120	PH5OZJ0F.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4524	2120	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PH5OZJ0F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PH5OZJ0F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PH5OZJ0F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PH5OZJ0F.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
772	timeout.exe
1308	timeout.exe
2244	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1756	powershell.exe
1756	powershell.exe
4032	powershell.exe
4032	powershell.exe
2296	PH5OZJ0F.exe
2296	PH5OZJ0F.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4120	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	4120	7zFM.exe
Token: 35	4120	7zFM.exe
Token: SeSecurityPrivilege	4120	7zFM.exe
Token: SeRestorePrivilege	820	7za.exe
Token: 35	820	7za.exe
Token: SeSecurityPrivilege	820	7za.exe
Token: SeSecurityPrivilege	820	7za.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4120	7zFM.exe
4120	7zFM.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 4800	3796	Setup.exe	82
PID 3796 wrote to memory of 4800	3796	Setup.exe	82
PID 4800 wrote to memory of 820	4800	cmd.exe	84
PID 4800 wrote to memory of 820	4800	cmd.exe	84
PID 4800 wrote to memory of 820	4800	cmd.exe	84
PID 4800 wrote to memory of 772	4800	cmd.exe	85
PID 4800 wrote to memory of 772	4800	cmd.exe	85
PID 4800 wrote to memory of 5116	4800	cmd.exe	86
PID 4800 wrote to memory of 5116	4800	cmd.exe	86
PID 4800 wrote to memory of 1308	4800	cmd.exe	88
PID 4800 wrote to memory of 1308	4800	cmd.exe	88
PID 5116 wrote to memory of 2492	5116	cmd.exe	89
PID 5116 wrote to memory of 2492	5116	cmd.exe	89
PID 2492 wrote to memory of 4852	2492	net.exe	90
PID 2492 wrote to memory of 4852	2492	net.exe	90
PID 5116 wrote to memory of 1756	5116	cmd.exe	91
PID 5116 wrote to memory of 1756	5116	cmd.exe	91
PID 1756 wrote to memory of 4032	1756	powershell.exe	92
PID 1756 wrote to memory of 4032	1756	powershell.exe	92
PID 1756 wrote to memory of 2120	1756	powershell.exe	93
PID 1756 wrote to memory of 2120	1756	powershell.exe	93
PID 1756 wrote to memory of 2120	1756	powershell.exe	93
PID 2120 wrote to memory of 2296	2120	PH5OZJ0F.exe	95
PID 2120 wrote to memory of 2296	2120	PH5OZJ0F.exe	95
PID 2120 wrote to memory of 2296	2120	PH5OZJ0F.exe	95
PID 2120 wrote to memory of 2296	2120	PH5OZJ0F.exe	95
PID 2120 wrote to memory of 2296	2120	PH5OZJ0F.exe	95
PID 2120 wrote to memory of 2296	2120	PH5OZJ0F.exe	95
PID 2120 wrote to memory of 2296	2120	PH5OZJ0F.exe	95
PID 2120 wrote to memory of 2296	2120	PH5OZJ0F.exe	95
PID 2120 wrote to memory of 2296	2120	PH5OZJ0F.exe	95
PID 2120 wrote to memory of 2296	2120	PH5OZJ0F.exe	95
PID 2296 wrote to memory of 4756	2296	PH5OZJ0F.exe	99
PID 2296 wrote to memory of 4756	2296	PH5OZJ0F.exe	99
PID 2296 wrote to memory of 4756	2296	PH5OZJ0F.exe	99
PID 4756 wrote to memory of 2244	4756	cmd.exe	101
PID 4756 wrote to memory of 2244	4756	cmd.exe	101
PID 4756 wrote to memory of 2244	4756	cmd.exe	101

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setup-app.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4120

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\data\extract_and_run.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Users\Admin\Desktop\data\7za.exe
    7za.exe e bin.zip -pYOUR_PASSWORD -oextracted_7337
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "extracted_7337\sss.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:4852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\Desktop\data\extracted_7337\script.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4032
    - - C:\Users\Admin\AppData\Roaming\PH5OZJ0F.exe
        
        "C:\Users\Admin\AppData\Roaming\PH5OZJ0F.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
      - C:\Users\Admin\AppData\Roaming\PH5OZJ0F.exe
        
        "C:\Users\Admin\AppData\Roaming\PH5OZJ0F.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Roaming\PH5OZJ0F.exe" & rd /s /q "C:\ProgramData\4WT2VKNOZMO8" & exit
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2244
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 160
        6⤵
        Program crash
        
        PID:4524
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2120 -ip 2120
1⤵
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2816fcdc36f5400632fcb1848f8e5a74

SHA1
725291e13353942b0e78f1c167adb597e50e05fc

SHA256
fc095bd878d0b0d37edcdff149e5db079d08fd1bacdea49faf7ef757e36c7717

SHA512
b78c427c425104afbc1241772a7ec588101e393d1953d8dbf31f380baca7de0afae6eb62529f233342c8c75a65c346b09fbc069a897424cf74bb6b1d2bcd740e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5gsl2ws.vuh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\PH5OZJ0F.exe

Filesize
397KB

MD5
6b3fbdaf99ece34f12dc443f1c630812

SHA1
6c553ac99295ba2d02d6aadfc71073d62b2dc414

SHA256
68c5557aaa47968336253c86db39f8526d677dc8f0357bc2122ffe3c6a7915b1

SHA512
59539a6aff0127c0d1c6d286a0731b41b064d2b7acf7e44f67a075f0aabb88983a6041c8f2d16d43355cb9a0a372e088250269cc34fba3170ac2e9448fac7f18

Download Submit
C:\Users\Admin\Desktop\Setup.exe

Filesize
44KB

MD5
f86507ff0856923a8686d869bbd0aa55

SHA1
d561b9cdbba69fdafb08af428033c4aa506802f8

SHA256
94f4fd6f2cb781ae7839ad2ee0322df732c8c7297e62834457662f8cde29dcbb

SHA512
6c1c073fc09498407b2c6b46d7a7e04c2db3c6f8d68c0dc0775211864c4508c48c2bd92e3849dc3805caacc856f9e31e1eea118661a55f526bfa61638f88c3da

Download Submit
C:\Users\Admin\Desktop\data\7za.exe

Filesize
828KB

MD5
426ccb645e50a3143811cfa0e42e2ba6

SHA1
3c17e212a5fdf25847bc895460f55819bf48b11d

SHA256
cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567

SHA512
1ab13e8e6e0ca4ca2039f104d53a5286c4196e930319c4fe374fa3bf415214bb7c7d2a9d8ca677a29c911a356cca19a1cecae16dd4bf840bce725f20de4c8ff2

Download Submit
C:\Users\Admin\Desktop\data\bin

Filesize
1KB

MD5
2a9a88562dcccf5892fa096d34f263bd

SHA1
3fdc4f1780d9496a7eb14b86b10ebe8e7ecf0fcc

SHA256
4b609237e0781d5725706862b815f3e884692215ec59def9945c9f786e0b32c3

SHA512
7a8294b6435cd5e6c0e086d767081a25479f4e1d42957ef3e5a30eafa859f60afb7cbad435b6ef864e263c74d5341e1bae62451fddb3e18e9601a1e342198476

Download Submit
C:\Users\Admin\Desktop\data\extract_and_run.bat

Filesize
952B

MD5
fae61599308bbc78cae99ebdcb666f43

SHA1
de0a1d2344b09b29b1040bd4904f604a47a6d8c6

SHA256
f65af4a3d9d7f4464de4f7c136122f548c3b662a389e569d842be7e3a60d7863

SHA512
8e3d8d8ed97e65acd719d60624fa5c5506696e6fbbad5b0466748cccc24832e130bdf584fe0ce55f14628c68ca0a602310f7cb964cd38cf56735a6c64e4ddbf3

Download Submit
C:\Users\Admin\Desktop\data\extracted_7337\script.ps1

Filesize
2KB

MD5
4e5beb4126ecad8899b53d798927407d

SHA1
c1d7824af0b0e4541b1014cd43648082591ff99c

SHA256
c6ec2ca066cf23c4a9b738233325e85bcc052fc5233c02bfd11c698f648e624b

SHA512
0a35b155173353acacb3d6ab90904afafa45fc4699ed98d47e40aaa559dd482937e25c36fcfa7944c5a4ca9c7888418a67e170aa2121c0380de7687cbbdfdbd3

Download Submit
C:\Users\Admin\Desktop\data\extracted_7337\sss.bat

Filesize
405B

MD5
9ca3883fd45a5a455e64704ac6151ac9

SHA1
e7f89032ce544253a51020d7e894f6919fc35839

SHA256
c981688479756c987d6207e5804ed2b97fb50dfc80469309646c3f79d5ed05b4

SHA512
e5746faaae0680f68295db94f3865a7ec56663553d7401f996cce18bdc67ade23aef10c81018da28992e82a8178dc8a567b5b355479c7ceedfb87e46be9efa5a

Download Submit
C:\Users\Admin\Desktop\mapistub.dll

Filesize
218KB

MD5
19f2358e19e6216a1c869fd86cd38df6

SHA1
ec475b62bd4162615509ed1bf597b670392965e6

SHA256
fc67d0ecb73cc51baa0f0f1e2a13fc18d8a9bdfca6f5ffaedd61d2c2eb9cb864

SHA512
c009f5a2a917cd3a4159ac895d0621b433e73997c87cbf50a80e43d55a743aec7ba0681c29066e35afc25c1fa60c6f5a7257c9b6667f8e13722e314e75e0dd48

Download Submit
memory/1756-322-0x00000201E1B00000-0x00000201E1B22000-memory.dmp

Filesize
136KB

Download
memory/2296-348-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2296-350-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2296-359-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2296-360-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download