vidar | 33736e8940993c97705403cdbef1ceacb862b4a2fd126cd99b58718b937a9362

Analysis

max time kernel
129s
max time network
133s
platform
windows7_x64
resource
win7-20220901-en
submitted
11/09/2022, 06:47 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d311d95c1cbae9b5a21e2c52995a2ae6.exe
Size

375KB
MD5

d311d95c1cbae9b5a21e2c52995a2ae6
SHA1

e6334f2bd1a4fc2926acff2888abb6835605ce70
SHA256

33736e8940993c97705403cdbef1ceacb862b4a2fd126cd99b58718b937a9362
SHA512

abe975a92068a9a77f9e0bff43bc12d66f330e2ae92edc45abc1367168c61477cf6fcba1368e20467576f473aca7d09ad14c97d3417b557f26fb79221a4bcf24
SSDEEP

6144:HhtAlyCzt2Lmi0WCQD4erl+IPNqh/cDluYEBKTm46X0V77AoHuASdOX:HhtAPMmi0WCqvrl+IlNl/EkTmfEVdsOX

Score

10^/10

vidar 1438 stealer

Malware Config

Extracted

Family

vidar

Version

54.2

Botnet

1438

https://t.me/tigogames

https://ioc.exchange/@tiagoa26

Attributes

profile_id
1438

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1200 set thread context of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	28

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	28
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	28
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	28
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	28
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	28
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	28
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	28
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	28
PID 1200 wrote to memory of 832	1200	d311d95c1cbae9b5a21e2c52995a2ae6.exe	28

C:\Users\Admin\AppData\Local\Temp\d311d95c1cbae9b5a21e2c52995a2ae6.exe
"C:\Users\Admin\AppData\Local\Temp\d311d95c1cbae9b5a21e2c52995a2ae6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:832

Network

DNS

t.me

AppLaunch.exe

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
DNS

ioc.exchange

AppLaunch.exe

Remote address:

8.8.8.8:53

Request

ioc.exchange

IN A

Response

ioc.exchange

IN A

45.79.113.18
DNS

ioc.exchange

AppLaunch.exe

Remote address:

8.8.8.8:53

Request

ioc.exchange

IN A

Response

ioc.exchange

IN A

45.79.113.18
GET

https://ioc.exchange/@tiagoa26

AppLaunch.exe

Remote address:

45.79.113.18:443

Request

GET /@tiagoa26 HTTP/1.1
Host: ioc.exchange

Response

HTTP/1.1 403 Forbidden

Date: Sun, 11 Sep 2022 06:47:17 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Server: Mastodon
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Permissions-Policy: interest-cohort=()
Cache-Control: max-age=180, public
Vary: Accept-Encoding, Origin
Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://ioc.exchange; img-src 'self' https: data: blob: https://ioc.exchange; style-src 'self' https://ioc.exchange 'nonce-8gqSD2F83Vb0xKH1NjPMhQ=='; media-src 'self' https: data: https://ioc.exchange; frame-src 'self' https:; manifest-src 'self' https://ioc.exchange; connect-src 'self' data: blob: https://ioc.exchange https://files.ioc.exchange wss://ioc.exchange; script-src 'self' https://ioc.exchange; child-src 'self' blob: https://ioc.exchange; worker-src 'self' blob: https://ioc.exchange
Set-Cookie: _mastodon_session=jFUQzjRlkNqBkEJZt3gR6jzp8EP47KegAYv4%2FTTv6tTqBBUCYEZMxb%2Bg9LeqObTUiut10y8zjm4eH%2Ft0Ju337rM1KDrfd5xUoiP8qFtW%2BMXz5Fd%2BTQYhhFgGuHYq4Z6tJiQ01cFKt7n2I8TrQ3almfjuq0tq3OeKD1zNOAW52KOOHD91jXvAADjj9FMztJw%2FNplHE3FouOMASC9In5w5XRo5PBSCM81HG4MPOPw%2FGiaV--n83Zgxr304%2BYYamn--mioCaAhHDxzkRt4HVEBhQQ%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
X-Request-Id: f3e7c538-3a35-4997-8a51-b3fab3376d44
X-Runtime: 0.017405
Strict-Transport-Security: max-age=63072000; includeSubDomains
DNS

apps.identrust.com

AppLaunch.exe

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A

Response

apps.identrust.com

IN CNAME

identrust.edgesuite.net

identrust.edgesuite.net

IN CNAME

a1952.dscq.akamai.net

a1952.dscq.akamai.net

IN A

96.16.53.134

a1952.dscq.akamai.net

IN A

96.16.53.139
GET

http://apps.identrust.com/roots/dstrootcax3.p7c

AppLaunch.exe

Remote address:

96.16.53.134:80

Request

GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

Response

HTTP/1.1 200 OK

X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Mon, 20 Jun 2022 20:24:00 GMT
ETag: "37d-5e1e6e25c9800"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Sun, 11 Sep 2022 07:47:16 GMT
Date: Sun, 11 Sep 2022 06:47:16 GMT
Connection: keep-alive
GET

https://ioc.exchange/@tiagoa26

AppLaunch.exe

Remote address:

45.79.113.18:443

Request

GET /@tiagoa26 HTTP/1.1
Host: ioc.exchange
Cookie: _mastodon_session=jFUQzjRlkNqBkEJZt3gR6jzp8EP47KegAYv4%2FTTv6tTqBBUCYEZMxb%2Bg9LeqObTUiut10y8zjm4eH%2Ft0Ju337rM1KDrfd5xUoiP8qFtW%2BMXz5Fd%2BTQYhhFgGuHYq4Z6tJiQ01cFKt7n2I8TrQ3almfjuq0tq3OeKD1zNOAW52KOOHD91jXvAADjj9FMztJw%2FNplHE3FouOMASC9In5w5XRo5PBSCM81HG4MPOPw%2FGiaV--n83Zgxr304%2BYYamn--mioCaAhHDxzkRt4HVEBhQQ%3D%3D

Response

HTTP/1.1 403 Forbidden

Date: Sun, 11 Sep 2022 06:49:18 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Server: Mastodon
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Permissions-Policy: interest-cohort=()
Cache-Control: max-age=180, public
Vary: Accept-Encoding, Origin
Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://ioc.exchange; img-src 'self' https: data: blob: https://ioc.exchange; style-src 'self' https://ioc.exchange 'nonce-0EUEagqiKTh4UwIOeD2TQQ=='; media-src 'self' https: data: https://ioc.exchange; frame-src 'self' https:; manifest-src 'self' https://ioc.exchange; connect-src 'self' data: blob: https://ioc.exchange https://files.ioc.exchange wss://ioc.exchange; script-src 'self' https://ioc.exchange; child-src 'self' blob: https://ioc.exchange; worker-src 'self' blob: https://ioc.exchange
Set-Cookie: _mastodon_session=1ARKwSnmt90Wsy8LrX2PQu7t3gV9%2FojPRctrBXd9lgIiHEJV%2B30TvqA83%2FKodtDKeijmhTpxbCzBHzIjMx6nM8TbSTi8ZAc7J0NgXmkaMlk11tQzyRU%2FNZJqC187DfzcvhOGWhXXesRSADyU%2B9vgXaXPtrbD2z75CPJkyd4%2F5GYx0SWIUjMsYoKCikuH443UvmmaeM5GHPm%2F3XDmtjLyLUbAWOPGNuvDRc92D2fTw%2FVc--D6kbwhidbVl2aEuk--vQRYhSqMCGA0VpeLmgZf1A%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
X-Request-Id: 09c95e90-352c-48b6-8eb7-f07c685525c2
X-Runtime: 0.014338
Strict-Transport-Security: max-age=63072000; includeSubDomains

149.154.167.99:443

t.me

tls

AppLaunch.exe

385 B
219 B
5
5
149.154.167.99:443

t.me

tls

AppLaunch.exe

347 B
219 B
5
5
149.154.167.99:443

t.me

tls

AppLaunch.exe

288 B
219 B
5
5
149.154.167.99:443

t.me

AppLaunch.exe

190 B
92 B
4
2
45.79.113.18:443

https://ioc.exchange/@tiagoa26

tls, http

AppLaunch.exe

924 B
8.0kB
11
15

HTTP Request

GET https://ioc.exchange/@tiagoa26

HTTP Response

403
96.16.53.134:80

http://apps.identrust.com/roots/dstrootcax3.p7c

http

AppLaunch.exe

369 B
1.6kB
5
4

HTTP Request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

HTTP Response

200
149.154.167.99:443

t.me

tls

AppLaunch.exe

385 B
219 B
5
5
149.154.167.99:443

t.me

tls

AppLaunch.exe

347 B
219 B
5
5
149.154.167.99:443

t.me

tls

AppLaunch.exe

288 B
219 B
5
5
149.154.167.99:443

t.me

AppLaunch.exe

190 B
92 B
4
2
45.79.113.18:443

https://ioc.exchange/@tiagoa26

tls, http

AppLaunch.exe

1.0kB
3.3kB
7
9

HTTP Request

GET https://ioc.exchange/@tiagoa26

HTTP Response

403

8.8.8.8:53

t.me

dns

AppLaunch.exe

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
8.8.8.8:53

ioc.exchange

dns

AppLaunch.exe

116 B
148 B
2
2

DNS Request

ioc.exchange

DNS Request

ioc.exchange

DNS Response

45.79.113.18

DNS Response

45.79.113.18
8.8.8.8:53

apps.identrust.com

dns

AppLaunch.exe

64 B
165 B
1
1

DNS Request

apps.identrust.com

DNS Response

96.16.53.134

96.16.53.139

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/832-54-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/832-56-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/832-63-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/832-64-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/832-65-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.