vidar | 60c7b93fd71057e6beef15759f04ac62d60b5f28189d3ffcf1f73584c6b15759

General

Target

Unlock_App_v1.4.rar
Size

48.5MB
MD5

dfe1a6d784fd857917e598d6f2ef47b5
SHA1

57f6b05b78bbac9ecc66970cbed2da2a28add46c
SHA256

70ef4ae08f85a6a8aedf229c4ebe5e12cf3cc82d955c2731747d619926afa885
SHA512

20d226d38d9d1f445015c06f0202e5382a8262e167a0004e060f8e25ecf5f46b1ce089a19676508e02d514b4dd5821cb173a7b20dd563c458145aae7cc7c671c
SSDEEP

1572864:gu22WKNf3rxDyljOP3UqMfBIL482bTnkZpRu/L:gu5W2dMjmxABIqkVu/L

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Signatures

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral1/memory/2884-30-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7
behavioral1/memory/2884-25-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7
behavioral1/memory/2884-23-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7
behavioral1/memory/2884-28-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7
behavioral1/memory/2884-164-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7
behavioral1/memory/2884-165-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Executes dropped EXE 2 IoCs

pid	Process
2016	Unlock_App_v1.4.exe
2884	Unlock_App_v1.4.exe

Loads dropped DLL 1 IoCs

pid	Process
2016	Unlock_App_v1.4.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 2884	2016	Unlock_App_v1.4.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_App_v1.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_App_v1.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Unlock_App_v1.4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Unlock_App_v1.4.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1788	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Unlock_App_v1.4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Unlock_App_v1.4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Unlock_App_v1.4.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1116	7zFM.exe
2884	Unlock_App_v1.4.exe
1116	7zFM.exe
1116	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1116	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1116	7zFM.exe
Token: 35	1116	7zFM.exe
Token: SeSecurityPrivilege	1116	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1116	7zFM.exe
1116	7zFM.exe
1116	7zFM.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2016	1116	7zFM.exe	31
PID 1116 wrote to memory of 2016	1116	7zFM.exe	31
PID 1116 wrote to memory of 2016	1116	7zFM.exe	31
PID 1116 wrote to memory of 2016	1116	7zFM.exe	31
PID 2016 wrote to memory of 2884	2016	Unlock_App_v1.4.exe	33
PID 2016 wrote to memory of 2884	2016	Unlock_App_v1.4.exe	33
PID 2016 wrote to memory of 2884	2016	Unlock_App_v1.4.exe	33
PID 2016 wrote to memory of 2884	2016	Unlock_App_v1.4.exe	33
PID 2016 wrote to memory of 2884	2016	Unlock_App_v1.4.exe	33
PID 2016 wrote to memory of 2884	2016	Unlock_App_v1.4.exe	33
PID 2016 wrote to memory of 2884	2016	Unlock_App_v1.4.exe	33
PID 2016 wrote to memory of 2884	2016	Unlock_App_v1.4.exe	33
PID 2016 wrote to memory of 2884	2016	Unlock_App_v1.4.exe	33
PID 2016 wrote to memory of 2884	2016	Unlock_App_v1.4.exe	33
PID 2016 wrote to memory of 2884	2016	Unlock_App_v1.4.exe	33
PID 2884 wrote to memory of 648	2884	Unlock_App_v1.4.exe	35
PID 2884 wrote to memory of 648	2884	Unlock_App_v1.4.exe	35
PID 2884 wrote to memory of 648	2884	Unlock_App_v1.4.exe	35
PID 2884 wrote to memory of 648	2884	Unlock_App_v1.4.exe	35
PID 648 wrote to memory of 1788	648	cmd.exe	37
PID 648 wrote to memory of 1788	648	cmd.exe	37
PID 648 wrote to memory of 1788	648	cmd.exe	37
PID 648 wrote to memory of 1788	648	cmd.exe	37

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Unlock_App_v1.4.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\7zOC5401507\Unlock_App_v1.4.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5401507\Unlock_App_v1.4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\7zOC5401507\Unlock_App_v1.4.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC5401507\Unlock_App_v1.4.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zOC5401507\Unlock_App_v1.4.exe" & rd /s /q "C:\ProgramData\9RIW4ECJ5XBA" & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:648
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95ac4a510395d349e78d35ebe8960224

SHA1
9f74501c11e3cd76a918733370c8315761b435bf

SHA256
93e85efbce0daf1f94dd7680c160f635a473870e5f837bc6b4401064cfcaf83a

SHA512
ec573596aa33ae23e747882156ed7e5cdd91871ed6f13644a52eb5e2aec8cbd57c3a0df305bbee56d4aa71a4156e46ca65f9b1abe97c338d57ce5a0646d1a7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC5401507\Unlock_App_v1.4.exe

Filesize
411KB

MD5
97bb4293c15b5a4655cf2529af46b9c9

SHA1
7a4c52fb44fe83569690f613bc130ad05ade70f5

SHA256
65bc22e44ab960149aed81404f38955fb24d22c011096315868e1756e9e1885e

SHA512
c1b8cf5d42d4ff0f5dbb62b8929c927b84315b971b7e1e7f445e3da8f5bf5530ee081f17633a95dd58c2e5ffba77041558a6e58ef2e36c8a94ffc76b87c22e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3574.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3671.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2884-19-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2884-21-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2884-23-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2884-28-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2884-18-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2884-15-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2884-25-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2884-30-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2884-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-164-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2884-165-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing