Today I wanted to do a quick behavioral analysis of Vidar. This particular piece of malware I downloaded from https://www.malware-traffic-analysis.net/2019/01/10/index2.html and is part of the Hookads campaign that is using the Rig Exploit Kit to push Vidar. So lets get started…
So what I will be doing is fairly straight forward. I will first setup my Remnux VM by running fakedns, inetsim and wireshark. On my Windows machine I will run Process Hacker and Procmon. I will then kick off the executable, let it run for a few minutes or until it deletes itself, to ensure I can capture most of its functionality. So first, we will take a look at its network traffic.
So it is trying to reach out to tepingost[.]ug and download the .dll files. It will drop them in the ProgramData folder and they will delete themselves when the executable deletes itself. The .dll’s you see here are simulated through inetsim. I am not completely sure what the .dll files are but, that could be another good exercise to see what their functionality reveals. It also appears to go out ip-api.com.
It creates a randomly named folder inside of the ProgramData folder as well where it gets an inventory of your system, copies any passwords and looks to also collect Outlook information. Here is a part of the ProcDot .png.
Not pictured here but during my debugging I was able to set breakpoints on CopyFileA and ReadFile to see what it was copying and reading. Unfortunately I forgot to take screenshots and now I am unable to get it to run correctly in my debugger. So I will give you a quick rundown.
It created information.txt, which inventoried your system, password.txt, which will collect your passwords and outlook.txt which would probably collect Outlook information. It will then zip it all up and send it out.
Be careful with the URL tepingost[.]ug because it appears to still be active. I tested it out by using wget to manually collect all of the .dll files it referred to in my ProgramData folder. So I hope this was useful and until next time…