vidar | 47581e7daf7e92fa4de9fdff4e7b055ca5c80a34656823aa4034a02c39390bbc

Analysis

Target

SecuriteInfo.com.Variant.Lazy.174506.16237.25035.exe
Size

382KB
MD5

de5694d171d676112fcd0626b05f716b
SHA1

23292b9b87f67f26635e2ff4e6ab53f8a3b1983f
SHA256

47581e7daf7e92fa4de9fdff4e7b055ca5c80a34656823aa4034a02c39390bbc
SHA512

320a21b3f6de29c4e224ee44f7407c1be8d172a4b3377c9b1b3912170b6f6ab867df44b6e03e3457d93651d290530bbb50ad5df3a9818f08bd16131c59a3c299
SSDEEP

6144:Icx0joKH4VwxjIqLT6L6TYjFg7xKXe8dxt6k4N/DAYiAvrzjO4jgB+1H4brfibtp:Icx6YVwR1T6LdjcKXeWt6k4pWAvPjO4B

Score

10^/10

vidar 1438 stealer

Family

vidar

Version

54.2

Botnet

1438

https://t.me/tigogames

https://ioc.exchange/@tiagoa26

Attributes

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 1364	1832	SecuriteInfo.com.Variant.Lazy.174506.16237.25035.exe	29

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1364	1832	SecuriteInfo.com.Variant.Lazy.174506.16237.25035.exe	29
PID 1832 wrote to memory of 1364	1832	SecuriteInfo.com.Variant.Lazy.174506.16237.25035.exe	29
PID 1832 wrote to memory of 1364	1832	SecuriteInfo.com.Variant.Lazy.174506.16237.25035.exe	29
PID 1832 wrote to memory of 1364	1832	SecuriteInfo.com.Variant.Lazy.174506.16237.25035.exe	29
PID 1832 wrote to memory of 1364	1832	SecuriteInfo.com.Variant.Lazy.174506.16237.25035.exe	29
PID 1832 wrote to memory of 1364	1832	SecuriteInfo.com.Variant.Lazy.174506.16237.25035.exe	29
PID 1832 wrote to memory of 1364	1832	SecuriteInfo.com.Variant.Lazy.174506.16237.25035.exe	29
PID 1832 wrote to memory of 1364	1832	SecuriteInfo.com.Variant.Lazy.174506.16237.25035.exe	29
PID 1832 wrote to memory of 1364	1832	SecuriteInfo.com.Variant.Lazy.174506.16237.25035.exe	29

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.174506.16237.25035.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.174506.16237.25035.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1364

memory/1364-54-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1364-56-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1364-63-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1364-64-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1364-65-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download