vidar | 2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916

General

Target

2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe
Size

44KB
MD5

770b223cce43b2043d5953fffb30c512
SHA1

4b535eec398fe92c7b59b05fd8be500c49942cee
SHA256

2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916
SHA512

bdc7f650a8a09cb4099f174c287681c8199785477272f9e9d1762a7f9be2e9aa02975078958ce59eab592f814de6c78efe579886a0e1ef511cb41558a081ce9c
SSDEEP

768:8FtchgNSVwafevGHkiV++I1gqDnJuuAuznQVLNvxu0BvkwIt6BcN4fejq:8FtggN7aeGEk+11Tu9AnQVLNppvk9RNQ

Score

10^/10

vidar 12d6c83ea3cfc666e31df67358e93313 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

11.4

Botnet

12d6c83ea3cfc666e31df67358e93313

C2

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral2/memory/4180-17-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4180-23-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4180-22-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4180-39-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4180-40-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Loads dropped DLL 1 IoCs

pid	Process
4180	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4900 set thread context of 4180	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1536	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4180	RegAsm.exe
4180	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 3572	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe	83
PID 4900 wrote to memory of 3572	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe	83
PID 4900 wrote to memory of 3572	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe	83
PID 3572 wrote to memory of 4528	3572	csc.exe	85
PID 3572 wrote to memory of 4528	3572	csc.exe	85
PID 3572 wrote to memory of 4528	3572	csc.exe	85
PID 4900 wrote to memory of 4180	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe	86
PID 4900 wrote to memory of 4180	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe	86
PID 4900 wrote to memory of 4180	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe	86
PID 4900 wrote to memory of 4180	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe	86
PID 4900 wrote to memory of 4180	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe	86
PID 4900 wrote to memory of 4180	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe	86
PID 4900 wrote to memory of 4180	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe	86
PID 4900 wrote to memory of 4180	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe	86
PID 4900 wrote to memory of 4180	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe	86
PID 4900 wrote to memory of 4180	4900	2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe	86
PID 4180 wrote to memory of 1516	4180	RegAsm.exe	88
PID 4180 wrote to memory of 1516	4180	RegAsm.exe	88
PID 4180 wrote to memory of 1516	4180	RegAsm.exe	88
PID 1516 wrote to memory of 1536	1516	cmd.exe	90
PID 1516 wrote to memory of 1536	1516	cmd.exe	90
PID 1516 wrote to memory of 1536	1516	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe
"C:\Users\Admin\AppData\Local\Temp\2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0trdow2u\0trdow2u.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA112.tmp" "c:\Users\Admin\AppData\Local\Temp\0trdow2u\CSCF291C4B4642F488595C094F64F0D6A5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\BFBKFHIDHIIJ" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chrome.dll

Filesize
676KB

MD5
eda18948a989176f4eebb175ce806255

SHA1
ff22a3d5f5fb705137f233c36622c79eab995897

SHA256
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

SHA512
160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\0trdow2u\0trdow2u.dll

Filesize
8KB

MD5
94087b96bc9ab031e91a34a81cb75832

SHA1
ec4e65b29bf3518cf4b775a17f6393a26b2de9ec

SHA256
85f7a05243a34bc1ed93fcbb6da1999039d52c4ee1fa58a729d088dc1ec8adf8

SHA512
092c34ecf9c36988d33a7d53f60723eedae9856c7a1816a469a9de273cc5722f98b4cfd10501119f8ef7c83ace96b9ad1e83fee3910ac534d8739e2b420860e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA112.tmp

Filesize
1KB

MD5
1a107ac0e8ba983b30f749f3cbe994b7

SHA1
839d4b198ce7d25292e6c08f5232d028120c671d

SHA256
ef237f09a1035d023a0e6e56ad718c97b6475c807e8c9560154db1684ebcc281

SHA512
93af3f1ceb292f2743318cc2d92c2572bcb379679a83b0dd9d74c2e5a50f8f5eac2adae71467e266c301dc202f65ee3864b2a38fcf563d50c8a04ec5e12042de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0trdow2u\0trdow2u.0.cs

Filesize
10KB

MD5
b022c6fe4494666c8337a975d175c726

SHA1
8197d4a993e7547d19d7b067b4d28ebe48329793

SHA256
d02016a307b3e8da1a80c29551d44c17358910816e992bc1b53da006d62dd56a

SHA512
df670235e87b1ee957086be88731b458c28629e65e052276dd543be273030986a7e5c67fa83587f68ec06fa0f33b0c3f1f041c2d06073709b340f96c3884f2b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0trdow2u\0trdow2u.cmdline

Filesize
204B

MD5
47bb0c753f1ca88627fe22fe3f242501

SHA1
17474c74fc3e533e2a632b46a991c60005aa2045

SHA256
d1e6263910c2368737170ab072781ffb1e23a332bd90832cfa22e0e4951dca22

SHA512
e37ecc730a933113f6ffb65fb8577ce41f31a877a760131d75f9141c85983971bb3724941c6c7d81f0b2a07f9774fba3a683ea2fa11b547691b61db9bc9f8034

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0trdow2u\CSCF291C4B4642F488595C094F64F0D6A5.TMP

Filesize
652B

MD5
5c84c9204add0f06d377c17e5081d1d3

SHA1
17a2126fe74132c9276a7dfb6bc8ebe26fc42fd3

SHA256
ee554b9179ce5d8984ea7f6cf6eade79ec4504c2f22b07cd86698d7b6f16924b

SHA512
6375a337774825ee418d3e15abd1ce298bc72add5861340532ef15b957adfe8cf2b46fb17b6297d536e90afdbd9321aa9881684f063f632ad3f68f021da3c3f7

Download Submit
memory/4180-22-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4180-17-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4180-23-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4180-39-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4180-40-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4900-2-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/4900-15-0x00000000057D0000-0x00000000057D8000-memory.dmp

Filesize
32KB

Download
memory/4900-20-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/4900-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/4900-1-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads