vidar | a4b05d52ea75d56b2e6ba0a153eb638290b546a86e5702b6ab1a15243a1e25a7

Resubmissions

03-04-2024 19:54

240403-ymwwtabd88 10

29-03-2024 17:27

240329-v1sjrsde91 10

Analysis

max time kernel
144s
max time network
141s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
03-04-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inchr_StExta_Itst_v.3.1/Set-up.exe
Size

1.1MB
MD5

f975a2d83d63a473fa2fc5206b66bb79
SHA1

e49d21f112ab27ae0953aff30ae122440cf164b9
SHA256

6a2d3876003f6c68f824df4f0033564d8c230716908ba2e6c06ea1dd6d5f98e8
SHA512

4af4ce56bf131432d488ed112f8858c1e1392d013c6ac0603f2fd70ed513091e35854c0f678efeab7fa9a551517c6b9698f40a92729112de4b852fa3c0c69d64
SSDEEP

12288:IbCylcTVPbi7vT1K7n6HpVkg8KHIo5u0K1VmMxEnbuvuY2jTU+LHMA+nk2oG1ts:4lcTVPbikTMkg8KH/mmMxnvfphx8

Score

10^/10

vidar cd7c97cce7ba52cbbfd2d03e0a6f87c3 stealer

Malware Config

Extracted

Family

vidar

Version

8.6

Botnet

cd7c97cce7ba52cbbfd2d03e0a6f87c3

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

profile_id_v2
cd7c97cce7ba52cbbfd2d03e0a6f87c3
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral6/memory/2132-24-0x0000000000EB0000-0x00000000010F5000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 680 set thread context of 4084	680	Set-up.exe	72

Loads dropped DLL 1 IoCs

pid	Process
2132	Aut2exe.au3

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1068	2132	WerFault.exe	74

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
680	Set-up.exe
680	Set-up.exe
4084	ftp.exe
4084	ftp.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
680	Set-up.exe
4084	ftp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 4084	680	Set-up.exe	72
PID 680 wrote to memory of 4084	680	Set-up.exe	72
PID 680 wrote to memory of 4084	680	Set-up.exe	72
PID 680 wrote to memory of 4084	680	Set-up.exe	72
PID 4084 wrote to memory of 2132	4084	ftp.exe	74
PID 4084 wrote to memory of 2132	4084	ftp.exe	74
PID 4084 wrote to memory of 2132	4084	ftp.exe	74
PID 4084 wrote to memory of 2132	4084	ftp.exe	74
PID 4084 wrote to memory of 2132	4084	ftp.exe	74

C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\Set-up.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:680
- C:\Windows\SysWOW64\ftp.exe
  C:\Windows\SysWOW64\ftp.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\Aut2exe.au3
    C:\Users\Admin\AppData\Local\Temp\Aut2exe.au3
    3⤵
    - Loads dropped DLL
    PID:2132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 2176
      4⤵
      Program crash
      PID:1068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\55480bf4

Filesize
2.1MB

MD5
f8c089b1ff76276840392131027a2542

SHA1
743217be14b27edc6f64e426a594477c6e28c0e5

SHA256
cf98dff802efc19ad8e67085db972efedaa04ff6acc6141e596b3f44cf7d8574

SHA512
a47c5954ff9f6dfb768361c7f468fb27534f55ccb3baacb03ffeb16501bf41e2c9dc862ee3cc1f48d77b2b48f3734689784fc4349c231e67e17c62c6bc7521ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aut2exe.au3

Filesize
1.3MB

MD5
88d518a90f4187b4542618cd328d7a34

SHA1
fa5fd671f8aabce769f82b960634d54c4a27e502

SHA256
5affc1a22d87715d5da70bfddb081335ca0a382b9cc4a54e18263047a76d5d81

SHA512
a1ed751ba7518dcb2cf9ab821fa28690d8f4a41238e4b8d97b37c00eef5662147dea600c90a7192142808f6668f8d252372e0712415d0fb7b9d1faa53b2b7769

Download Submit
memory/680-2-0x00007FF8B7C10000-0x00007FF8B7D7A000-memory.dmp

Filesize
1.4MB

Download
memory/680-6-0x00007FF8B7C10000-0x00007FF8B7D7A000-memory.dmp

Filesize
1.4MB

Download
memory/680-7-0x00007FF8B7C10000-0x00007FF8B7D7A000-memory.dmp

Filesize
1.4MB

Download
memory/2132-20-0x00007FF8C3B90000-0x00007FF8C3D6B000-memory.dmp

Filesize
1.9MB

Download
memory/2132-24-0x0000000000EB0000-0x00000000010F5000-memory.dmp

Filesize
2.3MB

Download
memory/4084-10-0x00007FF8C3B90000-0x00007FF8C3D6B000-memory.dmp

Filesize
1.9MB

Download
memory/4084-12-0x00000000743A0000-0x000000007451B000-memory.dmp

Filesize
1.5MB

Download
memory/4084-14-0x00000000743A0000-0x000000007451B000-memory.dmp

Filesize
1.5MB

Download
memory/4084-17-0x00000000743A0000-0x000000007451B000-memory.dmp

Filesize
1.5MB

Download