vidar | 33736e8940993c97705403cdbef1ceacb862b4a2fd126cd99b58718b937a9362

Analysis

Target

d311d95c1cbae9b5a21e2c52995a2ae6.exe
Size

375KB
MD5

d311d95c1cbae9b5a21e2c52995a2ae6
SHA1

e6334f2bd1a4fc2926acff2888abb6835605ce70
SHA256

33736e8940993c97705403cdbef1ceacb862b4a2fd126cd99b58718b937a9362
SHA512

abe975a92068a9a77f9e0bff43bc12d66f330e2ae92edc45abc1367168c61477cf6fcba1368e20467576f473aca7d09ad14c97d3417b557f26fb79221a4bcf24
SSDEEP

6144:HhtAlyCzt2Lmi0WCQD4erl+IPNqh/cDluYEBKTm46X0V77AoHuASdOX:HhtAPMmi0WCqvrl+IlNl/EkTmfEVdsOX

Score

10^/10

vidar 1438 stealer

Family

vidar

Version

54.2

Botnet

1438

https://t.me/tigogames

https://ioc.exchange/@tiagoa26

Attributes

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Suspicious use of SetThreadContext 1 IoCs

Processes:

d311d95c1cbae9b5a21e2c52995a2ae6.exe

description pid process target process

PID 1200 set thread context of 832 1200 d311d95c1cbae9b5a21e2c52995a2ae6.exe AppLaunch.exe

description	pid	process	target process
PID 1200 set thread context of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d311d95c1cbae9b5a21e2c52995a2ae6.exe

description	pid	process	target process
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	AppLaunch.exe
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	AppLaunch.exe
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	AppLaunch.exe
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	AppLaunch.exe
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	AppLaunch.exe
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	AppLaunch.exe
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	AppLaunch.exe
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	AppLaunch.exe
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\d311d95c1cbae9b5a21e2c52995a2ae6.exe
"C:\Users\Admin\AppData\Local\Temp\d311d95c1cbae9b5a21e2c52995a2ae6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:832

memory/832-54-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/832-56-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/832-62-0x0000000000422DBD-mapping.dmp

Download
memory/832-63-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/832-64-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/832-65-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download