vidar | 1e504dc4522bade46026e1b0e62a10a32f7a12d84b9c59a37ef3142c2be5ddc3

General

Target

6936901e97ee480b4a602f20c15b0a00.exe
Size

544KB
MD5

6936901e97ee480b4a602f20c15b0a00
SHA1

bd2f93be0e8020e352cb98865f4f8c4314a863c6
SHA256

1e504dc4522bade46026e1b0e62a10a32f7a12d84b9c59a37ef3142c2be5ddc3
SHA512

84f2d2b36a90dee6ca8635539e491cb1d82ce6253a640644864924ed7e3a30a5b2789eff809526300587cfcb441939075cb9e430f25d48bcd7f8b7b49dd34155
SSDEEP

12288:BDIa8zZ/El18Fl066i8kEqS5SQdCGiuMYOuoDDi:ea8zul18c3iS5tJqNPi

Score

10^/10

vidar 937 stealer

Malware Config

Extracted

Family

vidar

Version

40

Botnet

937

C2

https://lenak513.tumblr.com/

Attributes

profile_id
937

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4112-2-0x0000000004930000-0x00000000049CD000-memory.dmp	family_vidar
behavioral2/memory/4112-3-0x0000000000400000-0x0000000002D16000-memory.dmp	family_vidar
behavioral2/memory/4112-13-0x0000000000400000-0x0000000002D16000-memory.dmp	family_vidar
behavioral2/memory/4112-14-0x0000000004930000-0x00000000049CD000-memory.dmp	family_vidar

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2712	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
4144	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
3092	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
4500	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
3976	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
784	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
3360	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
1912	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
1964	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
4360	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
3332	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
3544	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
2032	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
3384	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
3428	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe
1748	4112	WerFault.exe	6936901e97ee480b4a602f20c15b0a00.exe

C:\Users\Admin\AppData\Local\Temp\6936901e97ee480b4a602f20c15b0a00.exe
"C:\Users\Admin\AppData\Local\Temp\6936901e97ee480b4a602f20c15b0a00.exe"
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 824
2⤵
- Program crash
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 832
2⤵
- Program crash
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 832
2⤵
- Program crash
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 908
2⤵
- Program crash
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 984
2⤵
- Program crash
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1072
2⤵
- Program crash
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1136
2⤵
- Program crash
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1500
2⤵
- Program crash
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1552
2⤵
- Program crash
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1572
2⤵
- Program crash
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1508
2⤵
- Program crash
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1632
2⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1616
2⤵
- Program crash
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1636
2⤵
- Program crash
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1800
2⤵
- Program crash
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1844
2⤵
- Program crash
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4112 -ip 4112
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4112 -ip 4112
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4112 -ip 4112
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4112 -ip 4112
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4112 -ip 4112
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4112 -ip 4112
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4112 -ip 4112
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4112 -ip 4112
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4112 -ip 4112
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4112 -ip 4112
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4112 -ip 4112
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4112 -ip 4112
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4112 -ip 4112
1⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4112 -ip 4112
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4112 -ip 4112
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4112 -ip 4112
1⤵
PID:2812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4112-1-0x0000000002F90000-0x0000000003090000-memory.dmp

Filesize
1024KB

Download
memory/4112-2-0x0000000004930000-0x00000000049CD000-memory.dmp

Filesize
628KB

Download
memory/4112-3-0x0000000000400000-0x0000000002D16000-memory.dmp

Filesize
41.1MB

Download
memory/4112-13-0x0000000000400000-0x0000000002D16000-memory.dmp

Filesize
41.1MB

Download
memory/4112-14-0x0000000004930000-0x00000000049CD000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing