vidar | 469a4e2de0f45d2543d7e535c54c6d6861e26e7ed26e1fda4ce9e00d03fb0077

Analysis

max time kernel
137s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

#DllHijacking #Vidar/Starter.exe
Size

7.3MB
MD5

49b6bce6cd0111433969c39a62635f91
SHA1

0e34b4e770cc7d018b955bc14dabb205321e872c
SHA256

29345d9c6ff0106c9032b15e2c88f17bc8972ed843d1b5c044cf17d00f1d45c5
SHA512

4737663a5a6b30779650dcaa461b7751bfb735d2c906d04d877604db5a270f68205e0ff1240f2509f2835d885708b849759b10d22deff3bf0f03579bd1402ff8
SSDEEP

49152:/Ph7SQtfhuOhfEPOBjP9P6SOgjha5VKnRt3RQ9Wpvgt4sbVpEmVT1oG3vTROBYxI:ntBbz3q9QluER

Score

10^/10

vidar b86ed69267e5641d44dafebd064d1e80 stealer

Malware Config

Extracted

Family

vidar

Version

7.8

Botnet

b86ed69267e5641d44dafebd064d1e80

https://65.109.242.97

https://t.me/karl3on

https://steamcommunity.com/profiles/76561199637071579

Attributes

profile_id_v2
b86ed69267e5641d44dafebd064d1e80
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/3636-20-0x0000000000690000-0x0000000000DD8000-memory.dmp	family_vidar_v7
behavioral2/memory/3636-25-0x0000000000690000-0x0000000000DD8000-memory.dmp	family_vidar_v7
behavioral2/memory/3636-26-0x0000000000690000-0x0000000000DD8000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4360 set thread context of 3924	4360	Starter.exe	83

Loads dropped DLL 1 IoCs

pid	Process
3636	gsd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1480	3636	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4360	Starter.exe
4360	Starter.exe
3924	cmd.exe
3924	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4360	Starter.exe
3924	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 3924	4360	Starter.exe	83
PID 4360 wrote to memory of 3924	4360	Starter.exe	83
PID 4360 wrote to memory of 3924	4360	Starter.exe	83
PID 4360 wrote to memory of 3924	4360	Starter.exe	83
PID 3924 wrote to memory of 3636	3924	cmd.exe	92
PID 3924 wrote to memory of 3636	3924	cmd.exe	92
PID 3924 wrote to memory of 3636	3924	cmd.exe	92
PID 3924 wrote to memory of 3636	3924	cmd.exe	92
PID 3924 wrote to memory of 3636	3924	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\#DllHijacking #Vidar\Starter.exe
"C:\Users\Admin\AppData\Local\Temp\#DllHijacking #Vidar\Starter.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Users\Admin\AppData\Local\Temp\gsd.exe
    C:\Users\Admin\AppData\Local\Temp\gsd.exe
    3⤵
    - Loads dropped DLL
    PID:3636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 2228
      4⤵
      Program crash
      PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3636 -ip 3636
1⤵
PID:928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25bda826

Filesize
5.9MB

MD5
4e3d4513bdee07665ad4ce808275027f

SHA1
42b0803d594af451ad6cff469f8abee01676a28e

SHA256
ca70780668e71143fd7bb7ebd68e064ef8a10cf9469d7babf627966195a975a9

SHA512
02531059ff46c0865a1aa1d36399f953c4d37350408249d120693b899b92c7c661c4a6d097dd6026019c2e2bb1863df28d4a20e7b53a3f20f6c54cf55acea50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsd.exe

Filesize
82KB

MD5
9e368252cee939f6a19df11945968a54

SHA1
633407597d5ef809dacfcc176b5bdebe4b3e92d8

SHA256
dc1175b2170d87f53512761950ac3fbfd13afabade3ed4ae18627c4625a58dfd

SHA512
7b6a03bec0f8c17c030621b5da8e39b0662ecad6e41f44d8085d6d8d0cae62452ed1dafac9f678b9355f804997b7feb9c7ebd981172b45144b76c98e3d30fe61

Download Submit
memory/3636-26-0x0000000000690000-0x0000000000DD8000-memory.dmp

Filesize
7.3MB

Download
memory/3636-25-0x0000000000690000-0x0000000000DD8000-memory.dmp

Filesize
7.3MB

Download
memory/3636-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3636-20-0x0000000000690000-0x0000000000DD8000-memory.dmp

Filesize
7.3MB

Download
memory/3636-19-0x00007FFE44350000-0x00007FFE44545000-memory.dmp

Filesize
2.0MB

Download
memory/3924-12-0x0000000075650000-0x00000000757CB000-memory.dmp

Filesize
1.5MB

Download
memory/3924-16-0x0000000075650000-0x00000000757CB000-memory.dmp

Filesize
1.5MB

Download
memory/3924-13-0x0000000075650000-0x00000000757CB000-memory.dmp

Filesize
1.5MB

Download
memory/3924-9-0x00007FFE44350000-0x00007FFE44545000-memory.dmp

Filesize
2.0MB

Download
memory/4360-0-0x00007FFE26B40000-0x00007FFE26CB2000-memory.dmp

Filesize
1.4MB

Download
memory/4360-7-0x0000000000400000-0x0000000000B62000-memory.dmp

Filesize
7.4MB

Download
memory/4360-5-0x00007FFE26B40000-0x00007FFE26CB2000-memory.dmp

Filesize
1.4MB

Download
memory/4360-4-0x00007FFE26B40000-0x00007FFE26CB2000-memory.dmp

Filesize
1.4MB

Download