vidar | 9a2232a4a9ceef2c3fcfee0acca71d5717395aff8abd1b6b26aa3a5c266b3fae

Analysis

max time kernel
29s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
13/01/2023, 01:07

Target

50d576843a36ea0ed56d5ff525690a782db8a9e3.exe
Size

602KB
MD5

3eb2e4fc5a63f1148550e8ad8f55d56c
SHA1

50d576843a36ea0ed56d5ff525690a782db8a9e3
SHA256

9a2232a4a9ceef2c3fcfee0acca71d5717395aff8abd1b6b26aa3a5c266b3fae
SHA512

50029b544fb5b94f69d0739609e7aa3b320ae674e18a589430f953d6f0a935bb7a0d21753742f4729ad987fa3917816f4bbc8dbe6d10d01d0a7db84f260c2060
SSDEEP

12288:FkESTrfRL7qg5g+SQVSbEg7t3O3og3iN7f86LHut03:m7PvG+S77Yt3iN7fUW

Score

10^/10

vidar 255 stealer

Family

vidar

Version

Botnet

255

https://t.me/tgdatapacks

https://steamcommunity.com/profiles/76561199469677637

Attributes

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1356 set thread context of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28
PID 1356 wrote to memory of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28
PID 1356 wrote to memory of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28
PID 1356 wrote to memory of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28
PID 1356 wrote to memory of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28
PID 1356 wrote to memory of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28
PID 1356 wrote to memory of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28
PID 1356 wrote to memory of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28
PID 1356 wrote to memory of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28
PID 1356 wrote to memory of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28
PID 1356 wrote to memory of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28
PID 1356 wrote to memory of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28
PID 1356 wrote to memory of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28
PID 1356 wrote to memory of 1068	1356	50d576843a36ea0ed56d5ff525690a782db8a9e3.exe	28

C:\Users\Admin\AppData\Local\Temp\50d576843a36ea0ed56d5ff525690a782db8a9e3.exe
"C:\Users\Admin\AppData\Local\Temp\50d576843a36ea0ed56d5ff525690a782db8a9e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1068

memory/1068-57-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1068-60-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1068-61-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1356-54-0x00000000002B0000-0x0000000000348000-memory.dmp

Filesize
608KB

Download
memory/1356-55-0x000007FEFBDD1000-0x000007FEFBDD3000-memory.dmp

Filesize
8KB

Download
memory/1356-56-0x0000000000870000-0x0000000000900000-memory.dmp

Filesize
576KB

Download
memory/1356-62-0x000000001C046000-0x000000001C065000-memory.dmp

Filesize
124KB

Download