vidar | 3b275eb3041764efa0c25789652714f73013eba1cca9636d1dd201db733e16c1

Analysis

max time kernel
135s
max time network
139s
platform
windows7_x64
resource
win7-20220812-en
submitted
08/09/2022, 12:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f20d8f923ba4065f004bbb79086a8637.exe
Size

608KB
MD5

f20d8f923ba4065f004bbb79086a8637
SHA1

f43809b21b6e4dc9eba2d4681b2d8fc10384edc3
SHA256

3b275eb3041764efa0c25789652714f73013eba1cca9636d1dd201db733e16c1
SHA512

70bc9ea694a32ef7625ddc33b40d0a0c0c7e149886938304052740ac45d1d547fd8d2a08e085103fe6a9a8b7d165f3364a770e92ab0c8b00235e77e56ef84867
SSDEEP

12288:NFG1MZ0KtvusH5nfVwcCU/gb5uGJ5j/irX7fy29C+A30Fo9srKdMEFqW3QjyVInn:y185ndiU/4J/irX7q2MV0kWYyeJni

Score

10^/10

vidar 1438 stealer

Malware Config

Extracted

Family

vidar

Version

54.2

Botnet

1438

https://t.me/tigogames

https://ioc.exchange/@tiagoa26

Attributes

profile_id
1438

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1896 set thread context of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	29

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	29
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	29
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	29
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	29
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	29
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	29
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	29
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	29
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	29

C:\Users\Admin\AppData\Local\Temp\f20d8f923ba4065f004bbb79086a8637.exe
"C:\Users\Admin\AppData\Local\Temp\f20d8f923ba4065f004bbb79086a8637.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1940

Network

DNS

t.me

AppLaunch.exe

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
DNS

ioc.exchange

AppLaunch.exe

Remote address:

8.8.8.8:53

Request

ioc.exchange

IN A

Response

ioc.exchange

IN A

45.79.113.18
GET

https://ioc.exchange/@tiagoa26

AppLaunch.exe

Remote address:

45.79.113.18:443

Request

GET /@tiagoa26 HTTP/1.1
Host: ioc.exchange

Response

HTTP/1.1 403 Forbidden

Date: Thu, 08 Sep 2022 12:37:23 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Server: Mastodon
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Permissions-Policy: interest-cohort=()
Cache-Control: max-age=180, public
Vary: Accept-Encoding, Origin
Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://ioc.exchange; img-src 'self' https: data: blob: https://ioc.exchange; style-src 'self' https://ioc.exchange 'nonce-04ghX+UW8Xgh7KRvS+6d1A=='; media-src 'self' https: data: https://ioc.exchange; frame-src 'self' https:; manifest-src 'self' https://ioc.exchange; connect-src 'self' data: blob: https://ioc.exchange https://files.ioc.exchange wss://ioc.exchange; script-src 'self' https://ioc.exchange; child-src 'self' blob: https://ioc.exchange; worker-src 'self' blob: https://ioc.exchange
Set-Cookie: _mastodon_session=%2FrltIb4F3nqpu6Gk9Hl7ppD54kMdrS5hEMyuEjSNyyeXsZc2%2BOCyRH%2Fv7wvpX0h3WIzzxonjEYu9Jx1vW67GfuAD1xuMS%2FZCExeLzQNvFyMZdGb3aNLEzpUZKMV%2FeCpprOWAPQV68hl5YiW0G1PBqlsV3J2I7QQNk3dQtrfuDpJu0OXFxzAkIzB9suKkhQr3VKT2oo99d0bXBcLeaSbRmO%2F71GNBXjuI5uF7x4atQshV--hvycoFOzoA3%2BEsNn--zSqiMFYKWlrynBMhfap2%2Fg%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
X-Request-Id: 79ea9f9d-e58d-41ef-ba47-443fb5d17409
X-Runtime: 0.014005
Strict-Transport-Security: max-age=63072000; includeSubDomains
DNS

apps.identrust.com

AppLaunch.exe

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A

Response

apps.identrust.com

IN CNAME

identrust.edgesuite.net

identrust.edgesuite.net

IN CNAME

a1952.dscq.akamai.net

a1952.dscq.akamai.net

IN A

96.16.53.134

a1952.dscq.akamai.net

IN A

96.16.53.139
GET

http://apps.identrust.com/roots/dstrootcax3.p7c

AppLaunch.exe

Remote address:

96.16.53.134:80

Request

GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

Response

HTTP/1.1 200 OK

X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Mon, 20 Jun 2022 20:24:00 GMT
ETag: "37d-5e1e6e25c9800"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Thu, 08 Sep 2022 13:37:22 GMT
Date: Thu, 08 Sep 2022 12:37:22 GMT
Connection: keep-alive
GET

https://ioc.exchange/@tiagoa26

AppLaunch.exe

Remote address:

45.79.113.18:443

Request

GET /@tiagoa26 HTTP/1.1
Host: ioc.exchange
Cookie: _mastodon_session=%2FrltIb4F3nqpu6Gk9Hl7ppD54kMdrS5hEMyuEjSNyyeXsZc2%2BOCyRH%2Fv7wvpX0h3WIzzxonjEYu9Jx1vW67GfuAD1xuMS%2FZCExeLzQNvFyMZdGb3aNLEzpUZKMV%2FeCpprOWAPQV68hl5YiW0G1PBqlsV3J2I7QQNk3dQtrfuDpJu0OXFxzAkIzB9suKkhQr3VKT2oo99d0bXBcLeaSbRmO%2F71GNBXjuI5uF7x4atQshV--hvycoFOzoA3%2BEsNn--zSqiMFYKWlrynBMhfap2%2Fg%3D%3D

Response

HTTP/1.1 403 Forbidden

Date: Thu, 08 Sep 2022 12:39:25 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Server: Mastodon
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Permissions-Policy: interest-cohort=()
Cache-Control: max-age=180, public
Vary: Accept-Encoding, Origin
Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://ioc.exchange; img-src 'self' https: data: blob: https://ioc.exchange; style-src 'self' https://ioc.exchange 'nonce-YxB0Iu9BIvt0eCcD1Lgfxw=='; media-src 'self' https: data: https://ioc.exchange; frame-src 'self' https:; manifest-src 'self' https://ioc.exchange; connect-src 'self' data: blob: https://ioc.exchange https://files.ioc.exchange wss://ioc.exchange; script-src 'self' https://ioc.exchange; child-src 'self' blob: https://ioc.exchange; worker-src 'self' blob: https://ioc.exchange
Set-Cookie: _mastodon_session=di37tgiI2RSFqWYcLxe5hCr2Pn9MWtm%2F1ZnhorbYEG2adp5VxSWdJTcIyiAM2U5%2BlTJOxhNLZajkxpmCazbViarK7NqEjmFGmsobCobKhSvnJ1a9SAML%2BksDKRZ7rB5%2BQ7BgVSWfxpGchUdpLmBAAaLkBgbxIyFWPcXlPvhLL5cOUpF0UV8YEA9aTxwnTYUldQOqmCyl9Th5Arn8pcFBRf4q6KU8pH3m0mxtPBxFYKMZ--k2%2FtJoV7yMfMkbUz--TUJ3pIkERhyg3A20tMTo7w%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
X-Request-Id: 69188874-1c60-4fef-9fb1-3c4d0ad0caab
X-Runtime: 0.015227
Strict-Transport-Security: max-age=63072000; includeSubDomains

149.154.167.99:443

t.me

tls

AppLaunch.exe

385 B
219 B
5
5
149.154.167.99:443

t.me

tls

AppLaunch.exe

347 B
219 B
5
5
149.154.167.99:443

t.me

tls

AppLaunch.exe

288 B
219 B
5
5
149.154.167.99:443

t.me

AppLaunch.exe

190 B
92 B
4
2
45.79.113.18:443

https://ioc.exchange/@tiagoa26

tls, http

AppLaunch.exe

930 B
8.0kB
11
16

HTTP Request

GET https://ioc.exchange/@tiagoa26

HTTP Response

403
96.16.53.134:80

http://apps.identrust.com/roots/dstrootcax3.p7c

http

AppLaunch.exe

369 B
1.6kB
5
4

HTTP Request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

HTTP Response

200
149.154.167.99:443

t.me

tls

AppLaunch.exe

385 B
219 B
5
5
149.154.167.99:443

t.me

tls

AppLaunch.exe

347 B
219 B
5
5
149.154.167.99:443

t.me

tls

AppLaunch.exe

288 B
219 B
5
5
149.154.167.99:443

t.me

AppLaunch.exe

190 B
92 B
4
2
45.79.113.18:443

https://ioc.exchange/@tiagoa26

tls, http

AppLaunch.exe

1.0kB
3.3kB
7
9

HTTP Request

GET https://ioc.exchange/@tiagoa26

HTTP Response

403

8.8.8.8:53

t.me

dns

AppLaunch.exe

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
8.8.8.8:53

ioc.exchange

dns

AppLaunch.exe

58 B
74 B
1
1

DNS Request

ioc.exchange

DNS Response

45.79.113.18
8.8.8.8:53

apps.identrust.com

dns

AppLaunch.exe

64 B
165 B
1
1

DNS Request

apps.identrust.com

DNS Response

96.16.53.134

96.16.53.139

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1940-54-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1940-56-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1940-63-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1940-64-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1940-65-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.