vidar | f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
09/01/2023, 16:21

Target

f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe
Size

422KB
MD5

19b18ab424c9bfe498094eab6e124eb8
SHA1

b78148d95360125fe8e778bbff8d41eb58c48ede
SHA256

f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956
SHA512

202f57aa334bed6c55731c79804a5d05e879b3b518483668d5d73848b5409882cc90f17a4735fbb6fddb0f0a3ce3bf36c9d022e59b850b77ba679201f9c40b0b
SSDEEP

6144:HoLb1OERwfgniUfKdZn20oOv2bXtirPnE3Z783CbhCWOued79ZDRBM++gw:HwbYERDno0r42bX983CbKuCnM++gw

Score

10^/10

vidar 19 stealer

Family

vidar

Version

1.9

Botnet

https://t.me/travelticketshop

https://steamcommunity.com/profiles/76561199469016299

Attributes

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 1932	1500	f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe	27

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1932	1500	f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe	27
PID 1500 wrote to memory of 1932	1500	f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe	27
PID 1500 wrote to memory of 1932	1500	f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe	27
PID 1500 wrote to memory of 1932	1500	f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe	27
PID 1500 wrote to memory of 1932	1500	f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe	27
PID 1500 wrote to memory of 1932	1500	f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe	27
PID 1500 wrote to memory of 1932	1500	f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe	27
PID 1500 wrote to memory of 1932	1500	f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe	27
PID 1500 wrote to memory of 1932	1500	f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe	27
PID 1500 wrote to memory of 1932	1500	f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe	27

C:\Users\Admin\AppData\Local\Temp\f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe
"C:\Users\Admin\AppData\Local\Temp\f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe
  "C:\Users\Admin\AppData\Local\Temp\f89ea963fcb584772f149a3c6a576d2a8cb037b3f956a.exe"
  2⤵
  PID:1932

memory/1500-57-0x000000000058D000-0x00000000005BB000-memory.dmp

Filesize
184KB

Download
memory/1500-59-0x0000000000220000-0x000000000026C000-memory.dmp

Filesize
304KB

Download
memory/1932-54-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1932-58-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1932-60-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download