vidar | 9463f28e07f665446e8702ec76aa02646f8efc1a9040a2201d6d256c77c8cd87 | Triage

Analysis

max time kernel
151s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 04:21

Sharing

Report Analysis Logs

General

Target

838b8b5fc2cc64655d3e2930faf5f999.exe
Size

488KB
MD5

838b8b5fc2cc64655d3e2930faf5f999
SHA1

60021758441f610962aa64c115c4b6e5af757382
SHA256

9463f28e07f665446e8702ec76aa02646f8efc1a9040a2201d6d256c77c8cd87
SHA512

da7765fc5863948b8e57b8582525eb93edc4aa2cf1905e88615d72c56179c4f6f9ddee9a1a536ad52e5cabecb3b5243956131ba063a277629c9047278f1a5845
SSDEEP

12288:cZyxgC7ZXmsNoJrtRqOcjwh+T2qoLeqhfwGhj:cAz7/yrtbYwh+No55

Score

10^/10

vidar 1707 stealer

Malware Config

Extracted

Family

vidar

Version

55.2

Botnet

1707

C2

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
1707

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Suspicious use of SetThreadContext 1 IoCs

Processes:

838b8b5fc2cc64655d3e2930faf5f999.exe

description pid process target process

PID 1548 set thread context of 1916 1548 838b8b5fc2cc64655d3e2930faf5f999.exe RegSvcs.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

838b8b5fc2cc64655d3e2930faf5f999.exe

description	pid	process	target process
PID 1548 wrote to memory of 1916	1548	838b8b5fc2cc64655d3e2930faf5f999.exe	RegSvcs.exe
PID 1548 wrote to memory of 1916	1548	838b8b5fc2cc64655d3e2930faf5f999.exe	RegSvcs.exe
PID 1548 wrote to memory of 1916	1548	838b8b5fc2cc64655d3e2930faf5f999.exe	RegSvcs.exe
PID 1548 wrote to memory of 1916	1548	838b8b5fc2cc64655d3e2930faf5f999.exe	RegSvcs.exe
PID 1548 wrote to memory of 1916	1548	838b8b5fc2cc64655d3e2930faf5f999.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\838b8b5fc2cc64655d3e2930faf5f999.exe
"C:\Users\Admin\AppData\Local\Temp\838b8b5fc2cc64655d3e2930faf5f999.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:1916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1916-132-0x0000000000000000-mapping.dmp

Download
memory/1916-133-0x0000000000500000-0x000000000055E000-memory.dmp

Filesize
376KB

Download
memory/1916-139-0x0000000000500000-0x000000000055E000-memory.dmp

Filesize
376KB

Download