vidar | 6b441ae34112ccf492bc9b7cd467ef3dcf4dcb0ce0a25fb87836807da4991612

Analysis

max time kernel
127s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-03-2024 06:52

Target

b17ca9b32513aec9742a7e38c9fc0716.exe
Size

702KB
MD5

b17ca9b32513aec9742a7e38c9fc0716
SHA1

368897b3e55e2fc0f484f90bcf839aed27f49417
SHA256

6b441ae34112ccf492bc9b7cd467ef3dcf4dcb0ce0a25fb87836807da4991612
SHA512

e5c8d5935ee36276c63204284facc31b77c70bf97b24d2090b4b4fe4f53d9cd10db59859b80d6b677490f1fb506c40bec20349397ed75fe67472ffbfde1ae012
SSDEEP

12288:9BOoxOZuX86JY1oowOZ6XxAiVrjJgostVddbJ+slh5N3pdxNLUf5kEmVwqfbfT:90os8XfeXv6T7YHXbJ+w57dxuf5kEmVt

Score

10^/10

vidar 921 stealer

Family

vidar

Version

39.8

Botnet

921

https://xeronxikxxx.tumblr.com/

Attributes

Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1060-7-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral2/memory/1060-8-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral2/memory/1060-10-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral2/memory/1060-12-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral2/memory/1060-22-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar

Suspicious use of SetThreadContext 1 IoCs

Processes:

b17ca9b32513aec9742a7e38c9fc0716.exe

description pid process target process

PID 2452 set thread context of 1060 2452 b17ca9b32513aec9742a7e38c9fc0716.exe b17ca9b32513aec9742a7e38c9fc0716.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1984 1060 WerFault.exe b17ca9b32513aec9742a7e38c9fc0716.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b17ca9b32513aec9742a7e38c9fc0716.exe

description pid process

Token: SeDebugPrivilege 2452 b17ca9b32513aec9742a7e38c9fc0716.exe

description	pid	process	target process
PID 2452 set thread context of 1060	2452	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe

pid	pid_target	process	target process
1984	1060	WerFault.exe	b17ca9b32513aec9742a7e38c9fc0716.exe

description	pid	process
Token: SeDebugPrivilege	2452	b17ca9b32513aec9742a7e38c9fc0716.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

b17ca9b32513aec9742a7e38c9fc0716.exe

description	pid	process	target process
PID 2452 wrote to memory of 2480	2452	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 2452 wrote to memory of 2480	2452	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 2452 wrote to memory of 2480	2452	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 2452 wrote to memory of 1060	2452	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 2452 wrote to memory of 1060	2452	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 2452 wrote to memory of 1060	2452	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 2452 wrote to memory of 1060	2452	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 2452 wrote to memory of 1060	2452	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 2452 wrote to memory of 1060	2452	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 2452 wrote to memory of 1060	2452	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe
PID 2452 wrote to memory of 1060	2452	b17ca9b32513aec9742a7e38c9fc0716.exe	b17ca9b32513aec9742a7e38c9fc0716.exe

C:\Users\Admin\AppData\Local\Temp\b17ca9b32513aec9742a7e38c9fc0716.exe
C:\Users\Admin\AppData\Local\Temp\b17ca9b32513aec9742a7e38c9fc0716.exe
2⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\b17ca9b32513aec9742a7e38c9fc0716.exe
C:\Users\Admin\AppData\Local\Temp\b17ca9b32513aec9742a7e38c9fc0716.exe
2⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1756
3⤵
- Program crash
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1060 -ip 1060
1⤵
PID:1132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=3016,i,1323102786462900035,7687994236215859601,262144 --variations-seed-version /prefetch:8
1⤵
PID:3700

memory/1060-7-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1060-22-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1060-12-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1060-10-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1060-8-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2452-3-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/2452-6-0x0000000005B40000-0x0000000005B66000-memory.dmp

Filesize
152KB

Download
memory/2452-5-0x0000000005A60000-0x0000000005A6A000-memory.dmp

Filesize
40KB

Download
memory/2452-4-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/2452-0-0x0000000000E10000-0x0000000000EC2000-memory.dmp

Filesize
712KB

Download
memory/2452-11-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/2452-2-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/2452-1-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download