vidar | 0e58aee5347ec13bc8c760cb266ba8714b208581e87ea08fe4693f3ba60261d7

Analysis

max time kernel
452s
max time network
456s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

202KB
MD5

64179e64675e822559cac6652298bdfc
SHA1

cceed3b2441146762512918af7bf7f89fb055583
SHA256

c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
SHA512

ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280
SSDEEP

3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw

Score

10^/10

vidar 8f9b46cf1d8abd40fa96d1b9e9e32173 stealer

Malware Config

Extracted

Family

vidar

Botnet

8f9b46cf1d8abd40fa96d1b9e9e32173

https://116.202.4.240

https://steamcommunity.com/profiles/76561199651834633

https://t.me/raf6ik

Attributes

profile_id_v2
8f9b46cf1d8abd40fa96d1b9e9e32173
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/2284-25-0x0000000000980000-0x00000000010C7000-memory.dmp	family_vidar_v7
behavioral2/memory/2284-29-0x0000000000980000-0x00000000010C7000-memory.dmp	family_vidar_v7
behavioral2/memory/2284-32-0x0000000000980000-0x00000000010C7000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3756 set thread context of 212	3756	Setup.exe	89

Loads dropped DLL 1 IoCs

pid	Process
2284	ErHttp3.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
400	2284	WerFault.exe	100

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3756	Setup.exe
3756	Setup.exe
212	cmd.exe
212	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3756	Setup.exe
212	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 212	3756	Setup.exe	89
PID 3756 wrote to memory of 212	3756	Setup.exe	89
PID 3756 wrote to memory of 212	3756	Setup.exe	89
PID 3756 wrote to memory of 212	3756	Setup.exe	89
PID 212 wrote to memory of 2284	212	cmd.exe	100
PID 212 wrote to memory of 2284	212	cmd.exe	100
PID 212 wrote to memory of 2284	212	cmd.exe	100
PID 212 wrote to memory of 2284	212	cmd.exe	100
PID 212 wrote to memory of 2284	212	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\ErHttp3.exe
    C:\Users\Admin\AppData\Local\Temp\ErHttp3.exe
    3⤵
    - Loads dropped DLL
    PID:2284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 2248
      4⤵
      Program crash
      PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2284 -ip 2284
1⤵
PID:3248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9531a00c

Filesize
7.9MB

MD5
0fb648733321c9659ae206e21d362d52

SHA1
702eeff8ffda2e2d62f15ef98136ebb7fc4bf6ca

SHA256
45b25fc2beb98012d2c6092961388a5c8b3dcf09d712398c169f4ed948ea272f

SHA512
29ca2d357127b330d90f0a4e48607976da34d661b6118e91d34b9b562d29703695fc595e2953388599a6ff92cf33677a20b65b08b141648fe1513c6ba42279b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErHttp3.exe

Filesize
2.1MB

MD5
3c4d3348418c783ede10b71147965bf1

SHA1
8a6cf3aa21935c66f29e56026e5ced92f2e787f9

SHA256
24ae84c48d0ae8ce587c311d88af1640991b56850d38cc40106ea84c371caefd

SHA512
096384cdc89a1688be380095c2be807edf42b7c726f5d3337585978c3c510c91315f63ecbdf8635251981275d2306e64c913c9657c6b14be42672e35a26817ea

Download Submit
memory/212-23-0x0000000074980000-0x0000000074AFB000-memory.dmp

Filesize
1.5MB

Download
memory/212-13-0x0000000074980000-0x0000000074AFB000-memory.dmp

Filesize
1.5MB

Download
memory/212-15-0x00007FFA8D870000-0x00007FFA8DA65000-memory.dmp

Filesize
2.0MB

Download
memory/212-17-0x0000000074980000-0x0000000074AFB000-memory.dmp

Filesize
1.5MB

Download
memory/212-19-0x0000000074980000-0x0000000074AFB000-memory.dmp

Filesize
1.5MB

Download
memory/2284-25-0x0000000000980000-0x00000000010C7000-memory.dmp

Filesize
7.3MB

Download
memory/2284-28-0x00007FFA8D870000-0x00007FFA8DA65000-memory.dmp

Filesize
2.0MB

Download
memory/2284-29-0x0000000000980000-0x00000000010C7000-memory.dmp

Filesize
7.3MB

Download
memory/2284-32-0x0000000000980000-0x00000000010C7000-memory.dmp

Filesize
7.3MB

Download
memory/3756-11-0x0000000074980000-0x0000000074AFB000-memory.dmp

Filesize
1.5MB

Download
memory/3756-10-0x0000000074980000-0x0000000074AFB000-memory.dmp

Filesize
1.5MB

Download
memory/3756-0-0x0000000074980000-0x0000000074AFB000-memory.dmp

Filesize
1.5MB

Download
memory/3756-1-0x00007FFA8D870000-0x00007FFA8DA65000-memory.dmp

Filesize
2.0MB

Download