vidar | 9d42b5a2c6c6ce0c2966cf48f2566abd3060ca75ad5286cb2bb5b2eb2a92292f

Resubmissions

15/03/2024, 02:04

240315-cha8nadh2w 10

14/03/2024, 14:03

240314-rc1zfsga97 10

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 14:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

lnstaller_2024.008.20535_win64_86.exe
Size

18.7MB
MD5

df6c0952255d459617f1b0f85c81d27d
SHA1

3a9a43dbe52de0d9a5b064c33f19ea6eea106870
SHA256

9d42b5a2c6c6ce0c2966cf48f2566abd3060ca75ad5286cb2bb5b2eb2a92292f
SHA512

37847697a8ef67ec597a1737f1d8fa6aee007b5afaa2c1550afeff71262a721533a76beb8535d4ee34a0d9b20c25f518c9cdee40fd5400664866b5dfcbf020ea
SSDEEP

98304:8FRMYdiZlRs9Fm9cy3mo3tR1KtrAf29At4iABaAtO/u4B1sKTPX49P4lwpDbypx8:8XMYdiaMf3tRgwiwAuvs649P9D26sTA

Score

10^/10

vidar 028e8b5e9eaea5b188f702e7691d4c1c stealer

Malware Config

Extracted

Family

vidar

Botnet

028e8b5e9eaea5b188f702e7691d4c1c

http://45.144.28.165:49119

http://103.35.188.34:39119

https://steamcommunity.com/profiles/76561199651834633

https://t.me/raf6ik

Attributes

profile_id_v2
028e8b5e9eaea5b188f702e7691d4c1c
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/1872-28-0x0000000000600000-0x0000000000846000-memory.dmp	family_vidar_v7
behavioral2/memory/1872-31-0x0000000000600000-0x0000000000846000-memory.dmp	family_vidar_v7
behavioral2/memory/1872-32-0x0000000000600000-0x0000000000846000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Loads dropped DLL 1 IoCs

pid	Process
1872	Ptr.au3

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4108 set thread context of 772	4108	lnstaller_2024.008.20535_win64_86.exe	93

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3496	1872	WerFault.exe	101

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4108	lnstaller_2024.008.20535_win64_86.exe
4108	lnstaller_2024.008.20535_win64_86.exe
772	cmd.exe
772	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4108	lnstaller_2024.008.20535_win64_86.exe
772	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 772	4108	lnstaller_2024.008.20535_win64_86.exe	93
PID 4108 wrote to memory of 772	4108	lnstaller_2024.008.20535_win64_86.exe	93
PID 4108 wrote to memory of 772	4108	lnstaller_2024.008.20535_win64_86.exe	93
PID 4108 wrote to memory of 772	4108	lnstaller_2024.008.20535_win64_86.exe	93
PID 772 wrote to memory of 1872	772	cmd.exe	101
PID 772 wrote to memory of 1872	772	cmd.exe	101
PID 772 wrote to memory of 1872	772	cmd.exe	101
PID 772 wrote to memory of 1872	772	cmd.exe	101
PID 772 wrote to memory of 1872	772	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\lnstaller_2024.008.20535_win64_86.exe
"C:\Users\Admin\AppData\Local\Temp\lnstaller_2024.008.20535_win64_86.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Users\Admin\AppData\Local\Temp\Ptr.au3
    C:\Users\Admin\AppData\Local\Temp\Ptr.au3
    3⤵
    - Loads dropped DLL
    PID:1872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1308
      4⤵
      Program crash
      PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1872 -ip 1872
1⤵
PID:3092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\207eff3f

Filesize
1.8MB

MD5
8d3e24fca682b2228a68ce5594d9ead8

SHA1
0c177e8a47c5c42a712348ac4bebbec79d59da94

SHA256
b6462fb4a9682eebdeeaf11d68febcad4ad80af07a1e2640eeedb2c9c255e37b

SHA512
bccaaf286dfa741c6778c7eea3e071e71c45a0c443e181b9f575d5b55f3c2645db19b7a2b9bb20defced937372d09712361bbb80dedc9186eeab2f80aef55f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ptr.au3

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
memory/772-18-0x00007FFF48BB0000-0x00007FFF48DA5000-memory.dmp

Filesize
2.0MB

Download
memory/772-25-0x0000000073E60000-0x0000000073FDB000-memory.dmp

Filesize
1.5MB

Download
memory/772-16-0x0000000073E60000-0x0000000073FDB000-memory.dmp

Filesize
1.5MB

Download
memory/772-20-0x0000000073E60000-0x0000000073FDB000-memory.dmp

Filesize
1.5MB

Download
memory/772-21-0x0000000073E60000-0x0000000073FDB000-memory.dmp

Filesize
1.5MB

Download
memory/1872-32-0x0000000000600000-0x0000000000846000-memory.dmp

Filesize
2.3MB

Download
memory/1872-31-0x0000000000600000-0x0000000000846000-memory.dmp

Filesize
2.3MB

Download
memory/1872-30-0x00007FFF48BB0000-0x00007FFF48DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1872-28-0x0000000000600000-0x0000000000846000-memory.dmp

Filesize
2.3MB

Download
memory/4108-9-0x0000000073E60000-0x0000000073FDB000-memory.dmp

Filesize
1.5MB

Download
memory/4108-7-0x0000000000490000-0x0000000001753000-memory.dmp

Filesize
18.8MB

Download
memory/4108-0-0x0000000003ED0000-0x0000000003ED1000-memory.dmp

Filesize
4KB

Download
memory/4108-10-0x00007FFF48BB0000-0x00007FFF48DA5000-memory.dmp

Filesize
2.0MB

Download
memory/4108-13-0x0000000073E60000-0x0000000073FDB000-memory.dmp

Filesize
1.5MB

Download
memory/4108-11-0x0000000073E60000-0x0000000073FDB000-memory.dmp

Filesize
1.5MB

Download