vidar | d7f52588d2f9c418c5fa3a9f69dc55dfcb4c36be56673cb4d7d4807fc8d99704

Analysis

max time kernel
142s
max time network
77s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:45

Target

00000000.exe
Size

718KB
MD5

7cf2ad62d3903e846f53f9cf6b6d6165
SHA1

59688005886c9f59c52087301a89c48d1749f457
SHA256

d7f52588d2f9c418c5fa3a9f69dc55dfcb4c36be56673cb4d7d4807fc8d99704
SHA512

a38942e28ff00e02c051c2a0bc9f62cd4630c9512e9b9609ded04d1e1de49bcf7c64483982d6f138b186e776044ea5fbd89d95380d9033728192f0fedff8c1c1
SSDEEP

12288:ORvRU68atsFb35ljSkv+IVYKZFL/jcrBWr1W+D78PPlY:oU68atsxTxrZx41WWQ7eNY

Score

10^/10

vidar stealer

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

00000000.exe

pid process

280 00000000.exe
280 00000000.exe
280 00000000.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

00000000.exe

description pid process

Token: SeDebugPrivilege 280 00000000.exe

description	pid	process
Token: SeDebugPrivilege	280	00000000.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

00000000.exe

description	pid	process	target process
PID 280 wrote to memory of 1552	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 1552	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 1552	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 1552	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 1552	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 1552	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 1552	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 1552	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 1552	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 1552	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 916	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 916	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 916	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 916	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 916	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 916	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 916	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 916	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 916	280	00000000.exe	AddInProcess32.exe
PID 280 wrote to memory of 916	280	00000000.exe	AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
PID:916

memory/280-54-0x00000000011E0000-0x0000000001298000-memory.dmp

Filesize
736KB

Download
memory/280-55-0x0000000075EC1000-0x0000000075EC3000-memory.dmp

Filesize
8KB

Download
memory/280-56-0x0000000000C30000-0x0000000000C60000-memory.dmp

Filesize
192KB

Download
memory/280-57-0x0000000000B40000-0x0000000000B58000-memory.dmp

Filesize
96KB

Download
memory/280-58-0x0000000004F40000-0x0000000004F5A000-memory.dmp

Filesize
104KB

Download
memory/280-59-0x0000000000D00000-0x0000000000D06000-memory.dmp

Filesize
24KB

Download
memory/1552-60-0x00000000000D0000-0x000000000012F000-memory.dmp

Filesize
380KB

Download
memory/1552-61-0x00000000000D0000-0x000000000012F000-memory.dmp

Filesize
380KB

Download
memory/1552-63-0x00000000000D0000-0x000000000012F000-memory.dmp

Filesize
380KB

Download
memory/1552-65-0x00000000000D0000-0x000000000012F000-memory.dmp

Filesize
380KB

Download
memory/1552-67-0x00000000000D0000-0x000000000012F000-memory.dmp

Filesize
380KB

Download