vidar | 3f92fd1cbc5200c8311a20e4a19b37e11fef32c23738c79a9e331f3d9ebbfb75

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-09-2022 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05bae311bb96de87f65d0e3548d4c2ed.exe
Size

7.5MB
MD5

05bae311bb96de87f65d0e3548d4c2ed
SHA1

31a99d3628f9e28e4905a7f6c15f4dd6c76c2244
SHA256

3f92fd1cbc5200c8311a20e4a19b37e11fef32c23738c79a9e331f3d9ebbfb75
SHA512

fb3bca90cc76dfc80ad8eaf446ddded735e6788317797a1c01de1a056c171cb51bf8fc41963f4699dcf0ffc9133d43e5f9efd01114b26925144266bc739610ec
SSDEEP

196608:ewTq2Da99eBrjW+4YkvY5ENNfrxQcSjkpgz1tyOigbPcjQ68XGAaePpfj8uCPaF7:eUEFYRdK

Score

10^/10

vidar 1680 stealer

Malware Config

Extracted

Family

vidar

Version

54.6

Botnet

1680

https://t.me/huobiinside

https://mas.to/@kyriazhs1975

Attributes

profile_id
1680

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Suspicious use of SetThreadContext 1 IoCs

Processes:

05bae311bb96de87f65d0e3548d4c2ed.exe

description pid process target process

PID 1944 set thread context of 1756 1944 05bae311bb96de87f65d0e3548d4c2ed.exe 05bae311bb96de87f65d0e3548d4c2ed.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1708 1756 WerFault.exe 05bae311bb96de87f65d0e3548d4c2ed.exe

description	pid	process	target process
PID 1944 set thread context of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	05bae311bb96de87f65d0e3548d4c2ed.exe

pid	pid_target	process	target process
1708	1756	WerFault.exe	05bae311bb96de87f65d0e3548d4c2ed.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

05bae311bb96de87f65d0e3548d4c2ed.exe05bae311bb96de87f65d0e3548d4c2ed.exe

description	pid	process	target process
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	05bae311bb96de87f65d0e3548d4c2ed.exe
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	05bae311bb96de87f65d0e3548d4c2ed.exe
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	05bae311bb96de87f65d0e3548d4c2ed.exe
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	05bae311bb96de87f65d0e3548d4c2ed.exe
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	05bae311bb96de87f65d0e3548d4c2ed.exe
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	05bae311bb96de87f65d0e3548d4c2ed.exe
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	05bae311bb96de87f65d0e3548d4c2ed.exe
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	05bae311bb96de87f65d0e3548d4c2ed.exe
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	05bae311bb96de87f65d0e3548d4c2ed.exe
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	05bae311bb96de87f65d0e3548d4c2ed.exe
PID 1756 wrote to memory of 1708	1756	05bae311bb96de87f65d0e3548d4c2ed.exe	WerFault.exe
PID 1756 wrote to memory of 1708	1756	05bae311bb96de87f65d0e3548d4c2ed.exe	WerFault.exe
PID 1756 wrote to memory of 1708	1756	05bae311bb96de87f65d0e3548d4c2ed.exe	WerFault.exe
PID 1756 wrote to memory of 1708	1756	05bae311bb96de87f65d0e3548d4c2ed.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\05bae311bb96de87f65d0e3548d4c2ed.exe
"C:\Users\Admin\AppData\Local\Temp\05bae311bb96de87f65d0e3548d4c2ed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\05bae311bb96de87f65d0e3548d4c2ed.exe
"C:\Users\Admin\AppData\Local\Temp\05bae311bb96de87f65d0e3548d4c2ed.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 116
3⤵
- Program crash
PID:1708

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-74-0x0000000000000000-mapping.dmp

Download
memory/1756-55-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1756-56-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1756-58-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1756-60-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1756-69-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1756-65-0x000000000086094D-mapping.dmp

Download
memory/1756-64-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1756-62-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1756-72-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1756-73-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1944-54-0x0000000000020000-0x00000000007AE000-memory.dmp

Filesize
7.6MB

Download