vidar | dd708ea05dadfc665013aa57e96639bd6f85f936afe44ddf930f8da815847aa7

Analysis

max time kernel
117s
max time network
139s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19/09/2023, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TradingView Сomplete_beta v3.15.exe
Size

781.5MB
MD5

4f16f4ed9bb364c3e4150335cc4527ef
SHA1

26ae81e8b34e09598b6733e6e2679fc0205cb57a
SHA256

5237e2a5ae90d66c260eb4ec8f3118d627d60a2ea0768a476ba1a9d85ede5078
SHA512

db0f29cd3ee586d333d7c04a275b67e38f72f81a9501bdb57358cf857fbf8345dfdc212b7548ba8af358de2b73df93f289215f99c0265855123bbef4cefde6c3
SSDEEP

24576:emCddUT2rPrci84yp3w1SmnWv6Ecl+c1JpQ9Q5Y:ebdiT2TrL8rxAS+Wvsl7r4Q5Y

Score

10^/10

vidar 74add1c619f652e60c7692dbc0048f64 stealer

Malware Config

Extracted

Family

vidar

Version

5.3

Botnet

74add1c619f652e60c7692dbc0048f64

https://t.me/buukcay

https://steamcommunity.com/profiles/76561199544211655

Attributes

profile_id_v2
74add1c619f652e60c7692dbc0048f64

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3052 set thread context of 2452	3052	TradingView Сomplete_beta v3.15.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1848	2452	WerFault.exe	30

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	TradingView Сomplete_beta v3.15.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2452	3052	TradingView Сomplete_beta v3.15.exe	30
PID 3052 wrote to memory of 2452	3052	TradingView Сomplete_beta v3.15.exe	30
PID 3052 wrote to memory of 2452	3052	TradingView Сomplete_beta v3.15.exe	30
PID 3052 wrote to memory of 2452	3052	TradingView Сomplete_beta v3.15.exe	30
PID 3052 wrote to memory of 2452	3052	TradingView Сomplete_beta v3.15.exe	30
PID 3052 wrote to memory of 2452	3052	TradingView Сomplete_beta v3.15.exe	30
PID 3052 wrote to memory of 2452	3052	TradingView Сomplete_beta v3.15.exe	30
PID 3052 wrote to memory of 2452	3052	TradingView Сomplete_beta v3.15.exe	30
PID 3052 wrote to memory of 2452	3052	TradingView Сomplete_beta v3.15.exe	30
PID 3052 wrote to memory of 2452	3052	TradingView Сomplete_beta v3.15.exe	30
PID 2452 wrote to memory of 1848	2452	cvtres.exe	31
PID 2452 wrote to memory of 1848	2452	cvtres.exe	31
PID 2452 wrote to memory of 1848	2452	cvtres.exe	31
PID 2452 wrote to memory of 1848	2452	cvtres.exe	31

C:\Users\Admin\AppData\Local\Temp\TradingView Сomplete_beta v3.15.exe
"C:\Users\Admin\AppData\Local\Temp\TradingView Сomplete_beta v3.15.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 120
    3⤵
    - Program crash
    PID:1848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2452-30-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2452-39-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2452-37-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2452-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2452-35-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2452-34-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2452-33-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2452-32-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3052-11-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/3052-28-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/3052-13-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/3052-19-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/3052-17-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/3052-23-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/3052-21-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/3052-27-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/3052-25-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/3052-15-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/3052-29-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/3052-9-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/3052-0-0x00000000001A0000-0x0000000000324000-memory.dmp

Filesize
1.5MB

Download
memory/3052-7-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/3052-5-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/3052-4-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/3052-3-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/3052-2-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/3052-40-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/3052-1-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download