vidar | a4b05d52ea75d56b2e6ba0a153eb638290b546a86e5702b6ab1a15243a1e25a7

Resubmissions

03-04-2024 19:54

240403-ymwwtabd88 10

29-03-2024 17:27

240329-v1sjrsde91 10

Analysis

max time kernel
143s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inchr_StExta_Itst_v.3.1/Set-up.exe
Size

1.1MB
MD5

f975a2d83d63a473fa2fc5206b66bb79
SHA1

e49d21f112ab27ae0953aff30ae122440cf164b9
SHA256

6a2d3876003f6c68f824df4f0033564d8c230716908ba2e6c06ea1dd6d5f98e8
SHA512

4af4ce56bf131432d488ed112f8858c1e1392d013c6ac0603f2fd70ed513091e35854c0f678efeab7fa9a551517c6b9698f40a92729112de4b852fa3c0c69d64
SSDEEP

12288:IbCylcTVPbi7vT1K7n6HpVkg8KHIo5u0K1VmMxEnbuvuY2jTU+LHMA+nk2oG1ts:4lcTVPbikTMkg8KH/mmMxnvfphx8

Score

10^/10

vidar cd7c97cce7ba52cbbfd2d03e0a6f87c3 stealer

Malware Config

Extracted

Family

vidar

Version

8.6

Botnet

cd7c97cce7ba52cbbfd2d03e0a6f87c3

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

profile_id_v2
cd7c97cce7ba52cbbfd2d03e0a6f87c3
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral7/memory/3292-18-0x0000000000550000-0x0000000000795000-memory.dmp	family_vidar_v7
behavioral7/memory/3292-24-0x0000000000550000-0x0000000000795000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3356 set thread context of 1168	3356	Set-up.exe	85

Loads dropped DLL 1 IoCs

pid	Process
3292	Aut2exe.au3

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1840	3292	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3356	Set-up.exe
3356	Set-up.exe
1168	ftp.exe
1168	ftp.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3356	Set-up.exe
1168	ftp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 1168	3356	Set-up.exe	85
PID 3356 wrote to memory of 1168	3356	Set-up.exe	85
PID 3356 wrote to memory of 1168	3356	Set-up.exe	85
PID 3356 wrote to memory of 1168	3356	Set-up.exe	85
PID 1168 wrote to memory of 3292	1168	ftp.exe	94
PID 1168 wrote to memory of 3292	1168	ftp.exe	94
PID 1168 wrote to memory of 3292	1168	ftp.exe	94
PID 1168 wrote to memory of 3292	1168	ftp.exe	94
PID 1168 wrote to memory of 3292	1168	ftp.exe	94

C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\Set-up.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\SysWOW64\ftp.exe
  C:\Windows\SysWOW64\ftp.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\Aut2exe.au3
    C:\Users\Admin\AppData\Local\Temp\Aut2exe.au3
    3⤵
    - Loads dropped DLL
    PID:3292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 2000
      4⤵
      Program crash
      PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3292 -ip 3292
1⤵
PID:368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1bbad058

Filesize
2.1MB

MD5
6f9026b7eea204e35a03011baac18668

SHA1
4b4bee19ad3eb11d2d3079f6c66481873cbd0519

SHA256
72480f701fa0e84d55f93e97f0ca380a005d6709b1ec7e59718f530930f7982d

SHA512
a19e34c325ca194589c4612b03763a16e46b138eca8ff4ef3f51fe9a00a49a66c92947b1f245a29b30520e7806c5880a017a0fc278e5a9bba43f82112e0470b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aut2exe.au3

Filesize
1.3MB

MD5
88d518a90f4187b4542618cd328d7a34

SHA1
fa5fd671f8aabce769f82b960634d54c4a27e502

SHA256
5affc1a22d87715d5da70bfddb081335ca0a382b9cc4a54e18263047a76d5d81

SHA512
a1ed751ba7518dcb2cf9ab821fa28690d8f4a41238e4b8d97b37c00eef5662147dea600c90a7192142808f6668f8d252372e0712415d0fb7b9d1faa53b2b7769

Download Submit
memory/1168-8-0x00007FFBCA770000-0x00007FFBCA965000-memory.dmp

Filesize
2.0MB

Download
memory/1168-10-0x0000000074C30000-0x0000000074DAB000-memory.dmp

Filesize
1.5MB

Download
memory/1168-11-0x0000000074C30000-0x0000000074DAB000-memory.dmp

Filesize
1.5MB

Download
memory/1168-16-0x0000000074C30000-0x0000000074DAB000-memory.dmp

Filesize
1.5MB

Download
memory/3292-18-0x0000000000550000-0x0000000000795000-memory.dmp

Filesize
2.3MB

Download
memory/3292-20-0x00007FFBCA770000-0x00007FFBCA965000-memory.dmp

Filesize
2.0MB

Download
memory/3292-24-0x0000000000550000-0x0000000000795000-memory.dmp

Filesize
2.3MB

Download
memory/3356-0-0x00007FFBBC710000-0x00007FFBBC882000-memory.dmp

Filesize
1.4MB

Download
memory/3356-4-0x00007FFBBC710000-0x00007FFBBC882000-memory.dmp

Filesize
1.4MB

Download
memory/3356-5-0x00007FFBBC710000-0x00007FFBBC882000-memory.dmp

Filesize
1.4MB

Download