vidar | e9a341bafeaba15c7e73a7ebb64f2c6463f23f6fbb83417943b4429ef00ab00e | Triage

Analysis

max time kernel
135s
max time network
136s
platform
windows10_x64
resource
win10v20210408
submitted
08-05-2021 09:02

Sharing

Report Analysis Logs

General

Target

bbffc3df8804d72ec64bf851e316b233.exe
Size

681KB
MD5

bbffc3df8804d72ec64bf851e316b233
SHA1

45dcfb6bcb80179a6d4324f2c574da9320943c99
SHA256

e9a341bafeaba15c7e73a7ebb64f2c6463f23f6fbb83417943b4429ef00ab00e
SHA512

85484e2a447d5862efda0e8ad4d3d865959769259b3b41bc61af1d52d48a37b2ab40284b6af7a27b3a626af9c999e3962a46f84fa214a65a3c19823a7a6b06dd

Score

10^/10

vidar 890 stealer

Malware Config

Extracted

Family

vidar

Version

38.7

Botnet

890

C2

https://HAL9THapi.faceit.comramilgame

Attributes

profile_id
890

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 668 created 804 668 WerFault.exe bbffc3df8804d72ec64bf851e316b233.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/804-114-0x0000000000760000-0x00000000007F7000-memory.dmp	family_vidar
behavioral2/memory/804-115-0x0000000000400000-0x00000000004C0000-memory.dmp	family_vidar

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

668 804 WerFault.exe bbffc3df8804d72ec64bf851e316b233.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 668 WerFault.exe
Token: SeBackupPrivilege 668 WerFault.exe
Token: SeDebugPrivilege 668 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\bbffc3df8804d72ec64bf851e316b233.exe
"C:\Users\Admin\AppData\Local\Temp\bbffc3df8804d72ec64bf851e316b233.exe"
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1380
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-114-0x0000000000760000-0x00000000007F7000-memory.dmp

Filesize
604KB

Download
memory/804-115-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download