vidar | 7b1cf1979579775f48e8d20974753453f75963b3094d3b95519d9362e943dbbb

Analysis

max time kernel
143s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Litever01.exe
Size

593KB
MD5

c85b133eae3ca2e8aa788b5b41dd12ca
SHA1

46842b223e918590f851dc58feb0333756fc872e
SHA256

0fca09eff75cd95e68f6ec7aed7c3f89ae7345a180f94fc5b470e2b24ebbc63a
SHA512

a485023b501126130a5c01a6c6348a5d2f28b9f5c89329d8eec6451cd494984eab6d66215fd3b3fb4db7545fc524cd371373859a7dfa3a67e2c0f4e84613bbf2
SSDEEP

12288:rmuLlwwQ+nWbz7jf0qncK45KIPwLeRxgPqcpLsZgxdqjc:rmuZwwJWbz7jf0qnIKIP9RxQqcpog

Score

10^/10

vidar 933 stealer

Malware Config

Extracted

Family

vidar

Version

40.2

Botnet

933

https://kipriauka.tumblr.com/

Attributes

profile_id
933

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral8/memory/4080-2-0x0000000003BC0000-0x0000000003C93000-memory.dmp	family_vidar
behavioral8/memory/4080-3-0x0000000000400000-0x0000000001DE1000-memory.dmp	family_vidar
behavioral8/memory/4080-13-0x0000000000400000-0x0000000001DE1000-memory.dmp	family_vidar
behavioral8/memory/4080-14-0x0000000003BC0000-0x0000000003C93000-memory.dmp	family_vidar

Program crash 16 IoCs

pid	pid_target	Process	procid_target
1416	4080	WerFault.exe	85
764	4080	WerFault.exe	85
3044	4080	WerFault.exe	85
3012	4080	WerFault.exe	85
3428	4080	WerFault.exe	85
5092	4080	WerFault.exe	85
516	4080	WerFault.exe	85
1316	4080	WerFault.exe	85
4520	4080	WerFault.exe	85
4504	4080	WerFault.exe	85
4108	4080	WerFault.exe	85
3204	4080	WerFault.exe	85
3296	4080	WerFault.exe	85
1164	4080	WerFault.exe	85
4116	4080	WerFault.exe	85
4364	4080	WerFault.exe	85

C:\Users\Admin\AppData\Local\Temp\Litever01.exe
"C:\Users\Admin\AppData\Local\Temp\Litever01.exe"
1⤵
PID:4080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 816
  2⤵
  - Program crash
  PID:1416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 836
  2⤵
  - Program crash
  PID:764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 836
  2⤵
  - Program crash
  PID:3044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 888
  2⤵
  - Program crash
  PID:3012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 988
  2⤵
  - Program crash
  PID:3428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1076
  2⤵
  - Program crash
  PID:5092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1128
  2⤵
  - Program crash
  PID:516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1504
  2⤵
  - Program crash
  PID:1316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1516
  2⤵
  - Program crash
  PID:4520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1572
  2⤵
  - Program crash
  PID:4504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1776
  2⤵
  - Program crash
  PID:4108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1560
  2⤵
  - Program crash
  PID:3204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1560
  2⤵
  - Program crash
  PID:3296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1608
  2⤵
  - Program crash
  PID:1164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1584
  2⤵
  - Program crash
  PID:4116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1040
  2⤵
  - Program crash
  PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4080 -ip 4080
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4080 -ip 4080
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4080 -ip 4080
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4080 -ip 4080
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4080 -ip 4080
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4080 -ip 4080
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4080 -ip 4080
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4080 -ip 4080
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4080 -ip 4080
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4080 -ip 4080
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4080 -ip 4080
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4080 -ip 4080
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4080 -ip 4080
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4080 -ip 4080
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4080 -ip 4080
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4080 -ip 4080
1⤵
PID:2788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4080-1-0x0000000002120000-0x0000000002220000-memory.dmp

Filesize
1024KB

Download
memory/4080-2-0x0000000003BC0000-0x0000000003C93000-memory.dmp

Filesize
844KB

Download
memory/4080-3-0x0000000000400000-0x0000000001DE1000-memory.dmp

Filesize
25.9MB

Download
memory/4080-13-0x0000000000400000-0x0000000001DE1000-memory.dmp

Filesize
25.9MB

Download
memory/4080-14-0x0000000003BC0000-0x0000000003C93000-memory.dmp

Filesize
844KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads