vidar | 67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-01-2023 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe
Size

528KB
MD5

9105e24109392b36a6551e7fcd752973
SHA1

56bc844aa457de6b450cf08c427d534e7331572f
SHA256

67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d
SHA512

cd1682f425b1529d2ac95ace0f2bc13dc89e828f28d4c2b4d0599332c8c25648e3d700156a68cc197e222fc4d717b713826f4a36d1346bbf6c2d35e188c8890f
SSDEEP

12288:0TvwH50cBHpdEfEOYeGB5L+8wpMTB6xW1ZJ8/FcHxSn:ZyIHy8eGfL+zwfG/FwO

Score

10^/10

vidar 821 stealer

Malware Config

Extracted

Family

vidar

Version

1.9

Botnet

821

https://t.me/travelticketshop

https://steamcommunity.com/profiles/76561199469016299

Attributes

profile_id
821

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe

description	pid	process	target process
PID 1228 set thread context of 2012	1228	67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe	vbc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1168 1228 WerFault.exe 67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe

pid	pid_target	process	target process
1168	1228	WerFault.exe	67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe

description	pid	process	target process
PID 1228 wrote to memory of 2012	1228	67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe	vbc.exe
PID 1228 wrote to memory of 2012	1228	67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe	vbc.exe
PID 1228 wrote to memory of 2012	1228	67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe	vbc.exe
PID 1228 wrote to memory of 2012	1228	67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe	vbc.exe
PID 1228 wrote to memory of 2012	1228	67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe	vbc.exe
PID 1228 wrote to memory of 2012	1228	67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe	vbc.exe
PID 1228 wrote to memory of 1168	1228	67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe	WerFault.exe
PID 1228 wrote to memory of 1168	1228	67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe	WerFault.exe
PID 1228 wrote to memory of 1168	1228	67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe	WerFault.exe
PID 1228 wrote to memory of 1168	1228	67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe
"C:\Users\Admin\AppData\Local\Temp\67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 48
2⤵
- Program crash
PID:1168

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1168-64-0x0000000000000000-mapping.dmp

Download
memory/2012-54-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2012-56-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2012-62-0x0000000000421DCC-mapping.dmp

Download
memory/2012-63-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download