vidar | fe96a24886ace072952dae318c99362572ff421c903ab154cf73d8649530c587 | Triage

Analysis

max time kernel
109s
max time network
131s
platform
windows10_x64
resource
win10-en-20211014
submitted
08-11-2021 19:02

Sharing

Report Analysis Logs

General

Target

eufive_20211108-162929(2).exe
Size

688KB
MD5

3f36f9d968431d0945b78ebca0a4adbb
SHA1

ad058a3f84037b7f5e442960d4bf388549ab0057
SHA256

fe96a24886ace072952dae318c99362572ff421c903ab154cf73d8649530c587
SHA512

aae4d9bc11077ced64d2cf1c96a428462c010231bd40cde83e44f10794a3f9c4807061bb4f09dd68370125af033558ccadaa44a923f0093589704ae63553e183

Score

10^/10

vidar 824 stealer

Malware Config

Extracted

Family

vidar

Version

48.1

Botnet

824

C2

https://koyu.space/@rspich

Attributes

profile_id
824

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1272 created 3512 1272 WerFault.exe eufive_20211108-162929(2).exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3512-116-0x00000000021E0000-0x00000000022B5000-memory.dmp	family_vidar
behavioral2/memory/3512-117-0x0000000000400000-0x00000000004D8000-memory.dmp	family_vidar

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1272 3512 WerFault.exe eufive_20211108-162929(2).exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1272	WerFault.exe
1272	WerFault.exe
1272	WerFault.exe
1272	WerFault.exe
1272	WerFault.exe
1272	WerFault.exe
1272	WerFault.exe
1272	WerFault.exe
1272	WerFault.exe
1272	WerFault.exe
1272	WerFault.exe
1272	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1272 WerFault.exe
Token: SeBackupPrivilege 1272 WerFault.exe
Token: SeDebugPrivilege 1272 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\eufive_20211108-162929(2).exe
"C:\Users\Admin\AppData\Local\Temp\eufive_20211108-162929(2).exe"
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1152
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3512-115-0x0000000002160000-0x00000000021DB000-memory.dmp

Filesize
492KB

Download
memory/3512-116-0x00000000021E0000-0x00000000022B5000-memory.dmp

Filesize
852KB

Download
memory/3512-117-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download