vidar | 3f92fd1cbc5200c8311a20e4a19b37e11fef32c23738c79a9e331f3d9ebbfb75

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/09/2022, 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05bae311bb96de87f65d0e3548d4c2ed.exe
Size

7.5MB
MD5

05bae311bb96de87f65d0e3548d4c2ed
SHA1

31a99d3628f9e28e4905a7f6c15f4dd6c76c2244
SHA256

3f92fd1cbc5200c8311a20e4a19b37e11fef32c23738c79a9e331f3d9ebbfb75
SHA512

fb3bca90cc76dfc80ad8eaf446ddded735e6788317797a1c01de1a056c171cb51bf8fc41963f4699dcf0ffc9133d43e5f9efd01114b26925144266bc739610ec
SSDEEP

196608:ewTq2Da99eBrjW+4YkvY5ENNfrxQcSjkpgz1tyOigbPcjQ68XGAaePpfj8uCPaF7:eUEFYRdK

Score

10^/10

vidar 1680 stealer

Malware Config

Extracted

Family

vidar

Version

54.6

Botnet

1680

https://t.me/huobiinside

https://mas.to/@kyriazhs1975

Attributes

profile_id
1680

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1944 set thread context of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1708	1756	WerFault.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	28
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	28
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	28
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	28
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	28
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	28
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	28
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	28
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	28
PID 1944 wrote to memory of 1756	1944	05bae311bb96de87f65d0e3548d4c2ed.exe	28
PID 1756 wrote to memory of 1708	1756	05bae311bb96de87f65d0e3548d4c2ed.exe	29
PID 1756 wrote to memory of 1708	1756	05bae311bb96de87f65d0e3548d4c2ed.exe	29
PID 1756 wrote to memory of 1708	1756	05bae311bb96de87f65d0e3548d4c2ed.exe	29
PID 1756 wrote to memory of 1708	1756	05bae311bb96de87f65d0e3548d4c2ed.exe	29

C:\Users\Admin\AppData\Local\Temp\05bae311bb96de87f65d0e3548d4c2ed.exe
"C:\Users\Admin\AppData\Local\Temp\05bae311bb96de87f65d0e3548d4c2ed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\05bae311bb96de87f65d0e3548d4c2ed.exe
  "C:\Users\Admin\AppData\Local\Temp\05bae311bb96de87f65d0e3548d4c2ed.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 116
    3⤵
    - Program crash
    PID:1708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1756-55-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1756-56-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1756-58-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1756-60-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1756-69-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1756-64-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1756-62-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1756-72-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1756-73-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1944-54-0x0000000000020000-0x00000000007AE000-memory.dmp

Filesize
7.6MB

Download