vidar | 2c973057cbbe0d9836f477281a06b51c6ce009c5ac7683f4255743e7d01ca9ca

General

Target

kw8fwzf055hq2bo1s8mhd43v.exe
Size

9.8MB
MD5

2a7ec240fa5e25c92b2b78c4f1002ea0
SHA1

bca1465b8bafa5fe58d96d4289356d40c3d44155
SHA256

2c973057cbbe0d9836f477281a06b51c6ce009c5ac7683f4255743e7d01ca9ca
SHA512

dba36379cd0532301193b25ffc4c9b74406efc08ca2d2ce0fec06c115abdde2ab0409bfda1f8bf85ce50764a59503ab0d5b1efbbd641b4caec1dde910d220df3
SSDEEP

98304:D2FemCZvjc2SdS7Q+6qfx0Suals9I/f0E7zs/Ym6lQCpR2RJncpl2:6FeppPfxLsQf/7zLzVpWnQ2

Score

10^/10

vidar fc0stn discovery stealer

Malware Config

Extracted

Family

vidar

Botnet

fc0stn

C2

https://t.me/w0ctzn

https://steamcommunity.com/profiles/76561199817305251

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3700 set thread context of 3164	3700	kw8fwzf055hq2bo1s8mhd43v.exe	84

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kw8fwzf055hq2bo1s8mhd43v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2612	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 3164	3700	kw8fwzf055hq2bo1s8mhd43v.exe	84
PID 3700 wrote to memory of 3164	3700	kw8fwzf055hq2bo1s8mhd43v.exe	84
PID 3700 wrote to memory of 3164	3700	kw8fwzf055hq2bo1s8mhd43v.exe	84
PID 3700 wrote to memory of 3164	3700	kw8fwzf055hq2bo1s8mhd43v.exe	84
PID 3700 wrote to memory of 3164	3700	kw8fwzf055hq2bo1s8mhd43v.exe	84
PID 3700 wrote to memory of 3164	3700	kw8fwzf055hq2bo1s8mhd43v.exe	84
PID 3700 wrote to memory of 3164	3700	kw8fwzf055hq2bo1s8mhd43v.exe	84
PID 3700 wrote to memory of 3164	3700	kw8fwzf055hq2bo1s8mhd43v.exe	84
PID 3700 wrote to memory of 3164	3700	kw8fwzf055hq2bo1s8mhd43v.exe	84
PID 3700 wrote to memory of 3164	3700	kw8fwzf055hq2bo1s8mhd43v.exe	84
PID 3700 wrote to memory of 3164	3700	kw8fwzf055hq2bo1s8mhd43v.exe	84

C:\Users\Admin\AppData\Local\Temp\kw8fwzf055hq2bo1s8mhd43v.exe
"C:\Users\Admin\AppData\Local\Temp\kw8fwzf055hq2bo1s8mhd43v.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3164

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1000

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2612

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3368

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\7c1137e5-89fb-46b0-a445-e18ecf3ae8ff.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
d6d3499e5dfe058db4af5745e6885661

SHA1
ef47b148302484d5ab98320962d62565f88fcc18

SHA256
7ec1b67f891fb646b49853d91170fafc67ff2918befd877dcc8515212be560f6

SHA512
ad1646c13f98e6915e51bfba9207b81f6d1d174a1437f9c1e1c935b7676451ff73a694323ff61fa72ec87b7824ce9380423533599e30d889b689e2e13887045f

Download Submit
memory/3164-6-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3164-7-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3164-8-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3164-12-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3164-16-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing