vidar | 4227ee74e68b799efeb3613493f4814a81e16fec32c88bcc3fdcc7eae35b60bc

General

Target

f1e89356f7a21887e4b5db1160717abf.exe
Size

581KB
MD5

f1e89356f7a21887e4b5db1160717abf
SHA1

ff7409ec73309460650dccc2e44efb8595c246d7
SHA256

4227ee74e68b799efeb3613493f4814a81e16fec32c88bcc3fdcc7eae35b60bc
SHA512

891734162b8f4b5c1d9cc08cc9c8140edbdf8af2ca4b0819a860cc1c1887d041e25db1b4282069ebeea6d764846d5d20ba3e836d923b1e3886f468236b244e51
SSDEEP

12288:qxOZuX86JY1oowOZ6XxAiVrjJgostVjXl+2U9rKicYz:qs8XfeXv6T7YH7l+2GrKicYz

Score

10^/10

vidar 921 stealer

Malware Config

Extracted

Family

vidar

Version

39.8

Botnet

921

C2

https://xeronxikxxx.tumblr.com/

Attributes

profile_id
921

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2992-9-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral1/memory/2992-8-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral1/memory/2992-5-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral1/memory/2992-68-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar

Suspicious use of SetThreadContext 1 IoCs

Processes:

f1e89356f7a21887e4b5db1160717abf.exe

description pid process target process

PID 1912 set thread context of 2992 1912 f1e89356f7a21887e4b5db1160717abf.exe f1e89356f7a21887e4b5db1160717abf.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1304 2992 WerFault.exe f1e89356f7a21887e4b5db1160717abf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f1e89356f7a21887e4b5db1160717abf.exe

description pid process

Token: SeDebugPrivilege 1912 f1e89356f7a21887e4b5db1160717abf.exe

description	pid	process	target process
PID 1912 set thread context of 2992	1912	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe

pid	pid_target	process	target process
1304	2992	WerFault.exe	f1e89356f7a21887e4b5db1160717abf.exe

description	pid	process
Token: SeDebugPrivilege	1912	f1e89356f7a21887e4b5db1160717abf.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

f1e89356f7a21887e4b5db1160717abf.exe

description	pid	process	target process
PID 1912 wrote to memory of 2088	1912	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 1912 wrote to memory of 2088	1912	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 1912 wrote to memory of 2088	1912	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 1912 wrote to memory of 2088	1912	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 1912 wrote to memory of 2992	1912	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 1912 wrote to memory of 2992	1912	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 1912 wrote to memory of 2992	1912	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 1912 wrote to memory of 2992	1912	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 1912 wrote to memory of 2992	1912	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 1912 wrote to memory of 2992	1912	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 1912 wrote to memory of 2992	1912	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 1912 wrote to memory of 2992	1912	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe
PID 1912 wrote to memory of 2992	1912	f1e89356f7a21887e4b5db1160717abf.exe	f1e89356f7a21887e4b5db1160717abf.exe

C:\Users\Admin\AppData\Local\Temp\f1e89356f7a21887e4b5db1160717abf.exe
"C:\Users\Admin\AppData\Local\Temp\f1e89356f7a21887e4b5db1160717abf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\f1e89356f7a21887e4b5db1160717abf.exe
C:\Users\Admin\AppData\Local\Temp\f1e89356f7a21887e4b5db1160717abf.exe
2⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 816
3⤵
- Program crash
PID:1304

C:\Users\Admin\AppData\Local\Temp\f1e89356f7a21887e4b5db1160717abf.exe
C:\Users\Admin\AppData\Local\Temp\f1e89356f7a21887e4b5db1160717abf.exe
2⤵
PID:2088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
40KB

MD5
673ff25bee2fa1ebf165f1f444a0a2db

SHA1
673a4a2c4b28f1219470b76584334464ec338ad1

SHA256
fb25b47cfa706d64151bb11111508c60ef2687619e38290520c2b670df0f7c8d

SHA512
eba02892de9e053d826b8be8d48f57cdcbccabc4122ab30fa9e2acf64b52e665e3c55dfbb068668a65f4466640f31c0ed0b59e4aaa354272c773ac0853d70a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9745.tmp
Filesize
11KB

MD5
224571d5dc9ed20d8bbecd3efcb61a9a

SHA1
7c921768e95dee03664130da3554e1902642af54

SHA256
7fbd7d2a8d512392a3e812ccfc80914b8bd502b7c9e037d82056d968a46b2a31

SHA512
5f0b7dc5af1f85dfc432d9ec071b68ac9e9ab2d889bf7de44585dcc625b882a3b8e59f6015680369318298a5c48b8bf9ef19c0d51e2a32a400920c0e299d61a9

Download Submit
memory/1912-0-0x0000000000C90000-0x0000000000D24000-memory.dmp

Filesize
592KB

Download
memory/1912-2-0x00000000004D0000-0x0000000000510000-memory.dmp

Filesize
256KB

Download
memory/1912-1-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1912-3-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1912-4-0x0000000000360000-0x0000000000380000-memory.dmp

Filesize
128KB

Download
memory/1912-7-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-9-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2992-8-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2992-5-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2992-68-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download

Analysis

Sharing