vidar | 9706247fdb847874ca3fad6229787e37299be25d938af865a8e5b132bf313b89

General

Target

6382174601bf02a6f9b09303d4c7febf.exe
Size

551KB
MD5

6382174601bf02a6f9b09303d4c7febf
SHA1

6af4c812ba7acc3e5a7237f4dfd7e013915aeda7
SHA256

9706247fdb847874ca3fad6229787e37299be25d938af865a8e5b132bf313b89
SHA512

62a24678c137367416613c34a4c7568a2323f264da5f59555a63d54b1b33ffbc94fd1d8c910c799383a91769809b72ebd0e0e61f617e1a784bcd4115d1098132

Score

10^/10

vidar 903 agilenet stealer

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

903

C2

https://sslamlssa1.tumblr.com/

Attributes

profile_id
903

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/324-64-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1496-63-0x0000000000500000-0x0000000000508000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

6382174601bf02a6f9b09303d4c7febf.exe

description pid process target process

PID 1496 set thread context of 324 1496 6382174601bf02a6f9b09303d4c7febf.exe 6382174601bf02a6f9b09303d4c7febf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6382174601bf02a6f9b09303d4c7febf.exe

description pid process

Token: SeDebugPrivilege 1496 6382174601bf02a6f9b09303d4c7febf.exe

description	pid	process	target process
PID 1496 set thread context of 324	1496	6382174601bf02a6f9b09303d4c7febf.exe	6382174601bf02a6f9b09303d4c7febf.exe

description	pid	process
Token: SeDebugPrivilege	1496	6382174601bf02a6f9b09303d4c7febf.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

6382174601bf02a6f9b09303d4c7febf.exe

description	pid	process	target process
PID 1496 wrote to memory of 1004	1496	6382174601bf02a6f9b09303d4c7febf.exe	6382174601bf02a6f9b09303d4c7febf.exe
PID 1496 wrote to memory of 1004	1496	6382174601bf02a6f9b09303d4c7febf.exe	6382174601bf02a6f9b09303d4c7febf.exe
PID 1496 wrote to memory of 1004	1496	6382174601bf02a6f9b09303d4c7febf.exe	6382174601bf02a6f9b09303d4c7febf.exe
PID 1496 wrote to memory of 1004	1496	6382174601bf02a6f9b09303d4c7febf.exe	6382174601bf02a6f9b09303d4c7febf.exe
PID 1496 wrote to memory of 324	1496	6382174601bf02a6f9b09303d4c7febf.exe	6382174601bf02a6f9b09303d4c7febf.exe
PID 1496 wrote to memory of 324	1496	6382174601bf02a6f9b09303d4c7febf.exe	6382174601bf02a6f9b09303d4c7febf.exe
PID 1496 wrote to memory of 324	1496	6382174601bf02a6f9b09303d4c7febf.exe	6382174601bf02a6f9b09303d4c7febf.exe
PID 1496 wrote to memory of 324	1496	6382174601bf02a6f9b09303d4c7febf.exe	6382174601bf02a6f9b09303d4c7febf.exe
PID 1496 wrote to memory of 324	1496	6382174601bf02a6f9b09303d4c7febf.exe	6382174601bf02a6f9b09303d4c7febf.exe
PID 1496 wrote to memory of 324	1496	6382174601bf02a6f9b09303d4c7febf.exe	6382174601bf02a6f9b09303d4c7febf.exe
PID 1496 wrote to memory of 324	1496	6382174601bf02a6f9b09303d4c7febf.exe	6382174601bf02a6f9b09303d4c7febf.exe
PID 1496 wrote to memory of 324	1496	6382174601bf02a6f9b09303d4c7febf.exe	6382174601bf02a6f9b09303d4c7febf.exe
PID 1496 wrote to memory of 324	1496	6382174601bf02a6f9b09303d4c7febf.exe	6382174601bf02a6f9b09303d4c7febf.exe

C:\Users\Admin\AppData\Local\Temp\6382174601bf02a6f9b09303d4c7febf.exe
"C:\Users\Admin\AppData\Local\Temp\6382174601bf02a6f9b09303d4c7febf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\6382174601bf02a6f9b09303d4c7febf.exe
C:\Users\Admin\AppData\Local\Temp\6382174601bf02a6f9b09303d4c7febf.exe
2⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\6382174601bf02a6f9b09303d4c7febf.exe
C:\Users\Admin\AppData\Local\Temp\6382174601bf02a6f9b09303d4c7febf.exe
2⤵
PID:324

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/324-64-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/324-65-0x000000000046B76D-mapping.dmp

Download
memory/1496-60-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1496-62-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1496-63-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads