vidar | 5abd6f4f7252ac98279db7727c79c5600870725fac5f8b883241a0265952fd69

General

Target

942df1706c052d73741ec002d96b4fdf.exe
Size

4.9MB
MD5

942df1706c052d73741ec002d96b4fdf
SHA1

21857f677c914c4599e548fb031578fa6c710f6f
SHA256

5abd6f4f7252ac98279db7727c79c5600870725fac5f8b883241a0265952fd69
SHA512

42b29fd69dd7893aa3c3e61d16905b3c683410cd9588e7c2bd936af3b4b77f5f363b72dddbfdeb20e7270308b3026c5020723fd4927f3b6b0317743499bdbfcb
SSDEEP

49152:TBm8JfTvWWDd6dgBvUNhIx2q7UU0ROfLV8UpY9gBhHaEE50acppKM:w8JmOUogq7GODaUpygBRXrpcM

Score

10^/10

vidar zgrat rat stealer

Malware Config

Signatures

Detect Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral2/memory/228-22-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6
behavioral2/memory/228-27-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6
behavioral2/memory/228-25-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6
behavioral2/memory/228-30-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/4848-1-0x0000000000920000-0x0000000000E0C000-memory.dmp	family_zgrat_v1

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Loads dropped DLL 1 IoCs

pid	Process
4848	942df1706c052d73741ec002d96b4fdf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4848 set thread context of 228	4848	942df1706c052d73741ec002d96b4fdf.exe	102

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3308	228	WerFault.exe	102

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 3488	4848	942df1706c052d73741ec002d96b4fdf.exe	103
PID 4848 wrote to memory of 3488	4848	942df1706c052d73741ec002d96b4fdf.exe	103
PID 4848 wrote to memory of 3488	4848	942df1706c052d73741ec002d96b4fdf.exe	103
PID 4848 wrote to memory of 228	4848	942df1706c052d73741ec002d96b4fdf.exe	102
PID 4848 wrote to memory of 228	4848	942df1706c052d73741ec002d96b4fdf.exe	102
PID 4848 wrote to memory of 228	4848	942df1706c052d73741ec002d96b4fdf.exe	102
PID 4848 wrote to memory of 228	4848	942df1706c052d73741ec002d96b4fdf.exe	102
PID 4848 wrote to memory of 228	4848	942df1706c052d73741ec002d96b4fdf.exe	102
PID 4848 wrote to memory of 228	4848	942df1706c052d73741ec002d96b4fdf.exe	102
PID 4848 wrote to memory of 228	4848	942df1706c052d73741ec002d96b4fdf.exe	102
PID 4848 wrote to memory of 228	4848	942df1706c052d73741ec002d96b4fdf.exe	102
PID 4848 wrote to memory of 228	4848	942df1706c052d73741ec002d96b4fdf.exe	102
PID 4848 wrote to memory of 228	4848	942df1706c052d73741ec002d96b4fdf.exe	102

C:\Users\Admin\AppData\Local\Temp\942df1706c052d73741ec002d96b4fdf.exe
"C:\Users\Admin\AppData\Local\Temp\942df1706c052d73741ec002d96b4fdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 2016
    3⤵
    - Program crash
    PID:3308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 228 -ip 228
1⤵
PID:3284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
365KB

MD5
aaf46aec220493cb71501c68000b1785

SHA1
09fcd3edcc33ca1469e4753f38160e757bc93e60

SHA256
814c9b54f097333482904f33ca7dfbc5db71ebee3877b6b7dac10de7e4af73f3

SHA512
158899ada4bdaed9a7069682b6805330648bee6c2211e74d9f44d4256decfaf4b1e3a0da5d034ddea9429aac3c6a8e9e06708bde6c5249c86059d41e1e384e21

Download Submit
memory/228-30-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/228-25-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/228-27-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/228-22-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4848-20-0x00000000072F0000-0x00000000073F0000-memory.dmp

Filesize
1024KB

Download
memory/4848-2-0x00000000056A0000-0x000000000573C000-memory.dmp

Filesize
624KB

Download
memory/4848-5-0x0000000005B30000-0x0000000005D58000-memory.dmp

Filesize
2.2MB

Download
memory/4848-14-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4848-18-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4848-1-0x0000000000920000-0x0000000000E0C000-memory.dmp

Filesize
4.9MB

Download
memory/4848-4-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4848-3-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/4848-26-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/4848-6-0x0000000006E90000-0x0000000007022000-memory.dmp

Filesize
1.6MB

Download
memory/4848-21-0x00000000072F0000-0x00000000073F0000-memory.dmp

Filesize
1024KB

Download
memory/4848-19-0x00000000072F0000-0x00000000073F0000-memory.dmp

Filesize
1024KB

Download
memory/4848-17-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4848-16-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4848-15-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4848-13-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/4848-12-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4848-0-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing