vidar | 9a61e776585dc88a15e548278caead09cdb871d4f4fac962cf14f0d43eca9c25

Analysis

max time kernel
82s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

409KB
MD5

24604438f2cb5fcbda87b9fe3f817bcb
SHA1

fe61f3c2824ea356df33eba858d5abed8f46ef82
SHA256

9a61e776585dc88a15e548278caead09cdb871d4f4fac962cf14f0d43eca9c25
SHA512

179fbb54aa9f3f87ff56c2521354a846d67115e691f2c9821dca92ed01b0492334ced528b33d3062d9a5575fa3ae0e1a12f2cf89150d380234af3921edcb7f9d
SSDEEP

6144:YtojTSy7+iRLF+NkKloo39+Te9Oy4BXZ/lZX02oNawWk/mrFy27UoZkCDqUFh:bSAM/99+Te9nWzZXcp/GF7UyDqUFh

Score

10^/10

vidar 2548f166286a0b36dbfd9f8a1ac09311 stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

2548f166286a0b36dbfd9f8a1ac09311

https://t.me/zaskullz

https://steamcommunity.com/profiles/76561199486572327

http://135.181.87.234:80

Attributes

profile_id_v2
2548f166286a0b36dbfd9f8a1ac09311

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1700 set thread context of 3728 1700 tmp.exe vbc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1820 3728 WerFault.exe vbc.exe

description	pid	process	target process
PID 1700 set thread context of 3728	1700	tmp.exe	vbc.exe

pid	pid_target	process	target process
1820	3728	WerFault.exe	vbc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1700 wrote to memory of 3728	1700	tmp.exe	vbc.exe
PID 1700 wrote to memory of 3728	1700	tmp.exe	vbc.exe
PID 1700 wrote to memory of 3728	1700	tmp.exe	vbc.exe
PID 1700 wrote to memory of 3728	1700	tmp.exe	vbc.exe
PID 1700 wrote to memory of 3728	1700	tmp.exe	vbc.exe
PID 1700 wrote to memory of 3728	1700	tmp.exe	vbc.exe
PID 1700 wrote to memory of 3728	1700	tmp.exe	vbc.exe
PID 1700 wrote to memory of 3728	1700	tmp.exe	vbc.exe
PID 1700 wrote to memory of 3728	1700	tmp.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 356
    3⤵
    - Program crash
    PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3728 -ip 3728
1⤵
PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1700-133-0x0000000000750000-0x00000000007BC000-memory.dmp

Filesize
432KB

Download
memory/1700-142-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/3728-135-0x0000000000750000-0x00000000007C1000-memory.dmp

Filesize
452KB

Download
memory/3728-138-0x0000000000750000-0x00000000007C1000-memory.dmp

Filesize
452KB

Download
memory/3728-141-0x0000000000750000-0x00000000007C1000-memory.dmp

Filesize
452KB

Download