vidar | b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216

Analysis

max time kernel
129s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
13/03/2024, 04:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216.exe
Size

439KB
MD5

7ac3d045fabcf67626b3515daebf4e98
SHA1

7595d275aa0c8c17641065601b7d52468c214471
SHA256

b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216
SHA512

dc74055191869eb74a2ce6a23b98f87c0b13f153eec09e7332570cd09b27d233ee57a3b50f0a7ad8d67e3f5eff04d5971822fb611c9853822dca425cf9f7d9e5
SSDEEP

6144:3FrVg9gU+57nzigO8CyekZVO9lsCtFCmsDNnEzGZK2dRt31Wh6ehSD:34q57nziZ+ekZV9UfsuzgL2Yeu

Score

10^/10

vidar zgrat 4bdee70ef97ecade3f5bde57c699bd29 rat stealer

Malware Config

Extracted

Family

vidar

Version

8.2

Botnet

4bdee70ef97ecade3f5bde57c699bd29

https://steamcommunity.com/profiles/76561199651834633

https://t.me/raf6ik

Attributes

profile_id_v2
4bdee70ef97ecade3f5bde57c699bd29
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/4696-5-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral2/memory/4696-8-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral2/memory/4696-11-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/4348-0-0x00000000007F0000-0x0000000000860000-memory.dmp	family_zgrat_v1

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4348 set thread context of 4696	4348	b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216.exe	73

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3612	4696	WerFault.exe	73

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 4696	4348	b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216.exe	73
PID 4348 wrote to memory of 4696	4348	b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216.exe	73
PID 4348 wrote to memory of 4696	4348	b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216.exe	73
PID 4348 wrote to memory of 4696	4348	b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216.exe	73
PID 4348 wrote to memory of 4696	4348	b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216.exe	73
PID 4348 wrote to memory of 4696	4348	b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216.exe	73
PID 4348 wrote to memory of 4696	4348	b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216.exe	73
PID 4348 wrote to memory of 4696	4348	b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216.exe	73
PID 4348 wrote to memory of 4696	4348	b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216.exe	73
PID 4348 wrote to memory of 4696	4348	b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216.exe	73

C:\Users\Admin\AppData\Local\Temp\b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216.exe
"C:\Users\Admin\AppData\Local\Temp\b07e0b48bc71cad112c096cba915fdb28853e2c2882c2fdb9c856c6752493216.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1776
    3⤵
    - Program crash
    PID:3612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4348-0-0x00000000007F0000-0x0000000000860000-memory.dmp

Filesize
448KB

Download
memory/4348-1-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/4348-2-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4348-13-0x0000000002C70000-0x0000000004C70000-memory.dmp

Filesize
32.0MB

Download
memory/4348-12-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/4348-20-0x0000000002C70000-0x0000000004C70000-memory.dmp

Filesize
32.0MB

Download
memory/4696-5-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/4696-8-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/4696-11-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download