vidar | 3b275eb3041764efa0c25789652714f73013eba1cca9636d1dd201db733e16c1

Analysis

Target

f20d8f923ba4065f004bbb79086a8637.exe
Size

608KB
MD5

f20d8f923ba4065f004bbb79086a8637
SHA1

f43809b21b6e4dc9eba2d4681b2d8fc10384edc3
SHA256

3b275eb3041764efa0c25789652714f73013eba1cca9636d1dd201db733e16c1
SHA512

70bc9ea694a32ef7625ddc33b40d0a0c0c7e149886938304052740ac45d1d547fd8d2a08e085103fe6a9a8b7d165f3364a770e92ab0c8b00235e77e56ef84867
SSDEEP

12288:NFG1MZ0KtvusH5nfVwcCU/gb5uGJ5j/irX7fy29C+A30Fo9srKdMEFqW3QjyVInn:y185ndiU/4J/irX7q2MV0kWYyeJni

Score

10^/10

vidar 1438 stealer

Family

vidar

Version

54.2

Botnet

1438

https://t.me/tigogames

https://ioc.exchange/@tiagoa26

Attributes

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Suspicious use of SetThreadContext 1 IoCs

Processes:

f20d8f923ba4065f004bbb79086a8637.exe

description pid process target process

PID 1896 set thread context of 1940 1896 f20d8f923ba4065f004bbb79086a8637.exe AppLaunch.exe

description	pid	process	target process
PID 1896 set thread context of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f20d8f923ba4065f004bbb79086a8637.exe

description	pid	process	target process
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	AppLaunch.exe
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	AppLaunch.exe
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	AppLaunch.exe
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	AppLaunch.exe
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	AppLaunch.exe
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	AppLaunch.exe
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	AppLaunch.exe
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	AppLaunch.exe
PID 1896 wrote to memory of 1940	1896	f20d8f923ba4065f004bbb79086a8637.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\f20d8f923ba4065f004bbb79086a8637.exe
"C:\Users\Admin\AppData\Local\Temp\f20d8f923ba4065f004bbb79086a8637.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1940

memory/1940-54-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1940-56-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1940-62-0x0000000000422DBD-mapping.dmp

Download
memory/1940-63-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1940-64-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1940-65-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download