vidar | 0548b90912c147102750c6b6e84504fa8f37f7143c288131a6e00793646024bc

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 13:49

Target

#Vidar/Setup.exe
Size

7.3MB
MD5

49b6bce6cd0111433969c39a62635f91
SHA1

0e34b4e770cc7d018b955bc14dabb205321e872c
SHA256

29345d9c6ff0106c9032b15e2c88f17bc8972ed843d1b5c044cf17d00f1d45c5
SHA512

4737663a5a6b30779650dcaa461b7751bfb735d2c906d04d877604db5a270f68205e0ff1240f2509f2835d885708b849759b10d22deff3bf0f03579bd1402ff8
SSDEEP

49152:/Ph7SQtfhuOhfEPOBjP9P6SOgjha5VKnRt3RQ9Wpvgt4sbVpEmVT1oG3vTROBYxI:ntBbz3q9QluER

Score

10^/10

Family

vidar

Botnet

9e23613691aee9405b5fb64671c7c70e

https://pvasms.top

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

profile_id_v2
9e23613691aee9405b5fb64671c7c70e
user_agent
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral4/memory/532-16-0x0000000000820000-0x0000000000F67000-memory.dmp	family_vidar_v7
behavioral4/memory/532-25-0x0000000000820000-0x0000000000F67000-memory.dmp	family_vidar_v7
behavioral4/memory/532-26-0x0000000000820000-0x0000000000F67000-memory.dmp	family_vidar_v7

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 924 set thread context of 744	924	Setup.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1256	532	WerFault.exe	101

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
924	Setup.exe
744	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 744	924	Setup.exe	88
PID 924 wrote to memory of 744	924	Setup.exe	88
PID 924 wrote to memory of 744	924	Setup.exe	88
PID 924 wrote to memory of 744	924	Setup.exe	88
PID 744 wrote to memory of 532	744	cmd.exe	101
PID 744 wrote to memory of 532	744	cmd.exe	101
PID 744 wrote to memory of 532	744	cmd.exe	101
PID 744 wrote to memory of 532	744	cmd.exe	101
PID 744 wrote to memory of 532	744	cmd.exe	101

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 532 -ip 532
1⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\9d706a36

Filesize
5.9MB

MD5
d291210ae1785248437ad01e7b09068e

SHA1
b003fe16ac6577a97ab33bdb876970b5c6628d5a

SHA256
b148bf9e2cfc37eff0696ee5a9e6182fb70d699fa38e8b8a6aecb9c616897492

SHA512
1d1d6930a4e6d0f107db23e21ce365f9e496f28d43e3d79ab0722acb0746c9c964b4f46954175f0470841923def9a1b4ec3c064700ca494a1bbd1be0e07e07fc

Download Submit
memory/532-16-0x0000000000820000-0x0000000000F67000-memory.dmp

Filesize
7.3MB

Download
memory/532-26-0x0000000000820000-0x0000000000F67000-memory.dmp

Filesize
7.3MB

Download
memory/532-25-0x0000000000820000-0x0000000000F67000-memory.dmp

Filesize
7.3MB

Download
memory/532-18-0x00007FFDCB890000-0x00007FFDCBA85000-memory.dmp

Filesize
2.0MB

Download
memory/744-10-0x00000000758D0000-0x0000000075A4B000-memory.dmp

Filesize
1.5MB

Download
memory/744-11-0x00000000758D0000-0x0000000075A4B000-memory.dmp

Filesize
1.5MB

Download
memory/744-15-0x00000000758D0000-0x0000000075A4B000-memory.dmp

Filesize
1.5MB

Download
memory/744-9-0x00007FFDCB890000-0x00007FFDCBA85000-memory.dmp

Filesize
2.0MB

Download
memory/924-0-0x00007FFDBC050000-0x00007FFDBC1C2000-memory.dmp

Filesize
1.4MB

Download
memory/924-7-0x0000000000400000-0x0000000000B62000-memory.dmp

Filesize
7.4MB

Download
memory/924-5-0x00007FFDBC050000-0x00007FFDBC1C2000-memory.dmp

Filesize
1.4MB

Download
memory/924-4-0x00007FFDBC050000-0x00007FFDBC1C2000-memory.dmp

Filesize
1.4MB

Download