vidar | 04ec8be17e718e7df090dcd4c8297859c64e3b30738c099809895dca50ad7b11

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sft_Extra.exe
Size

1.1MB
MD5

f975a2d83d63a473fa2fc5206b66bb79
SHA1

e49d21f112ab27ae0953aff30ae122440cf164b9
SHA256

6a2d3876003f6c68f824df4f0033564d8c230716908ba2e6c06ea1dd6d5f98e8
SHA512

4af4ce56bf131432d488ed112f8858c1e1392d013c6ac0603f2fd70ed513091e35854c0f678efeab7fa9a551517c6b9698f40a92729112de4b852fa3c0c69d64
SSDEEP

12288:IbCylcTVPbi7vT1K7n6HpVkg8KHIo5u0K1VmMxEnbuvuY2jTU+LHMA+nk2oG1ts:4lcTVPbikTMkg8KH/mmMxnvfphx8

Score

10^/10

vidar 11517b89b590a0507ebc843bd239d1e5 stealer

Malware Config

Extracted

Family

vidar

Version

7.8

Botnet

11517b89b590a0507ebc843bd239d1e5

https://t.me/karl3on

https://steamcommunity.com/profiles/76561199637071579

Attributes

profile_id_v2
11517b89b590a0507ebc843bd239d1e5
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Signatures

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/4908-21-0x0000000000860000-0x0000000000AA6000-memory.dmp	family_vidar_v7
behavioral2/memory/4908-22-0x0000000000860000-0x0000000000AA6000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4888 set thread context of 2172	4888	Sft_Extra.exe	83

Loads dropped DLL 1 IoCs

pid	Process
4908	Zima.pif

Program crash 1 IoCs

pid	pid_target	Process	procid_target
664	4908	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4888	Sft_Extra.exe
4888	Sft_Extra.exe
2172	more.com
2172	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4888	Sft_Extra.exe
2172	more.com

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 2172	4888	Sft_Extra.exe	83
PID 4888 wrote to memory of 2172	4888	Sft_Extra.exe	83
PID 4888 wrote to memory of 2172	4888	Sft_Extra.exe	83
PID 4888 wrote to memory of 2172	4888	Sft_Extra.exe	83
PID 2172 wrote to memory of 4908	2172	more.com	92
PID 2172 wrote to memory of 4908	2172	more.com	92
PID 2172 wrote to memory of 4908	2172	more.com	92
PID 2172 wrote to memory of 4908	2172	more.com	92
PID 2172 wrote to memory of 4908	2172	more.com	92

C:\Users\Admin\AppData\Local\Temp\Sft_Extra.exe
"C:\Users\Admin\AppData\Local\Temp\Sft_Extra.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\Zima.pif
    C:\Users\Admin\AppData\Local\Temp\Zima.pif
    3⤵
    - Loads dropped DLL
    PID:4908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1996
      4⤵
      Program crash
      PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4908 -ip 4908
1⤵
PID:3152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1781c000

Filesize
1.2MB

MD5
b5d4f45735350d0b9659ef38d280aea6

SHA1
334ed12a6bd8a7a14b31a714fa6b1508ef666329

SHA256
1663db0a9637532c61c821a72897f086187856498666365762bb1d55ad348949

SHA512
31e6d6a2d71c2704432b9063557d3b92a730b37239f79d0036be7a3268799066ab7f43ab70535c78ba23db4dce006bda7ec6c9ac7dc694e3c925512526bcbbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zima.pif

Filesize
332KB

MD5
578b84dffcdde848e5726fb87f7795fc

SHA1
54e40becf54cbf4a1c30558140febc872e14ee6b

SHA256
3af13cc9a44cd8ac077ae3d1b8a00625e5e288c51d6d797231b2de4a1aba87fd

SHA512
0d73f2ef0664d273f096fd17a0d4a7c73adbaf1551a041cb7802a9bd6d69c04121c561e57b8dfdd7a415899568baf832cb44307d4024d053049b976cc870e5e3

Download Submit
memory/2172-8-0x00007FFDC7E90000-0x00007FFDC8085000-memory.dmp

Filesize
2.0MB

Download
memory/2172-10-0x0000000075A80000-0x0000000075BFB000-memory.dmp

Filesize
1.5MB

Download
memory/2172-12-0x0000000075A80000-0x0000000075BFB000-memory.dmp

Filesize
1.5MB

Download
memory/2172-14-0x0000000075A80000-0x0000000075BFB000-memory.dmp

Filesize
1.5MB

Download
memory/4888-0-0x00007FFDB8F10000-0x00007FFDB9082000-memory.dmp

Filesize
1.4MB

Download
memory/4888-4-0x00007FFDB8F10000-0x00007FFDB9082000-memory.dmp

Filesize
1.4MB

Download
memory/4888-5-0x00007FFDB8F10000-0x00007FFDB9082000-memory.dmp

Filesize
1.4MB

Download
memory/4908-18-0x00007FFDC7E90000-0x00007FFDC8085000-memory.dmp

Filesize
2.0MB

Download
memory/4908-21-0x0000000000860000-0x0000000000AA6000-memory.dmp

Filesize
2.3MB

Download
memory/4908-22-0x0000000000860000-0x0000000000AA6000-memory.dmp

Filesize
2.3MB

Download