vidar | a4b05d52ea75d56b2e6ba0a153eb638290b546a86e5702b6ab1a15243a1e25a7

Resubmissions

03-04-2024 19:54

240403-ymwwtabd88 10

29-03-2024 17:27

240329-v1sjrsde91 10

Analysis

max time kernel
89s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
03-04-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inchr_StExta_Itst_v.3.1/Set-up.exe
Size

1.1MB
MD5

f975a2d83d63a473fa2fc5206b66bb79
SHA1

e49d21f112ab27ae0953aff30ae122440cf164b9
SHA256

6a2d3876003f6c68f824df4f0033564d8c230716908ba2e6c06ea1dd6d5f98e8
SHA512

4af4ce56bf131432d488ed112f8858c1e1392d013c6ac0603f2fd70ed513091e35854c0f678efeab7fa9a551517c6b9698f40a92729112de4b852fa3c0c69d64
SSDEEP

12288:IbCylcTVPbi7vT1K7n6HpVkg8KHIo5u0K1VmMxEnbuvuY2jTU+LHMA+nk2oG1ts:4lcTVPbikTMkg8KH/mmMxnvfphx8

Score

10^/10

vidar cd7c97cce7ba52cbbfd2d03e0a6f87c3 stealer

Malware Config

Extracted

Family

vidar

Version

8.6

Botnet

cd7c97cce7ba52cbbfd2d03e0a6f87c3

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

profile_id_v2
cd7c97cce7ba52cbbfd2d03e0a6f87c3
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral8/memory/1436-28-0x0000000000EA0000-0x00000000010E5000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3768 set thread context of 3956	3768	Set-up.exe	75

Loads dropped DLL 1 IoCs

pid	Process
1436	Aut2exe.au3

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3396	1436	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3768	Set-up.exe
3768	Set-up.exe
3956	ftp.exe
3956	ftp.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3768	Set-up.exe
3956	ftp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 3956	3768	Set-up.exe	75
PID 3768 wrote to memory of 3956	3768	Set-up.exe	75
PID 3768 wrote to memory of 3956	3768	Set-up.exe	75
PID 3768 wrote to memory of 3956	3768	Set-up.exe	75
PID 3956 wrote to memory of 1436	3956	ftp.exe	77
PID 3956 wrote to memory of 1436	3956	ftp.exe	77
PID 3956 wrote to memory of 1436	3956	ftp.exe	77
PID 3956 wrote to memory of 1436	3956	ftp.exe	77
PID 3956 wrote to memory of 1436	3956	ftp.exe	77

C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1\Set-up.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\SysWOW64\ftp.exe
  C:\Windows\SysWOW64\ftp.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\Aut2exe.au3
    C:\Users\Admin\AppData\Local\Temp\Aut2exe.au3
    3⤵
    - Loads dropped DLL
    PID:1436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 2216
      4⤵
      Program crash
      PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1436 -ip 1436
1⤵
PID:3028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Aut2exe.au3

Filesize
1.3MB

MD5
88d518a90f4187b4542618cd328d7a34

SHA1
fa5fd671f8aabce769f82b960634d54c4a27e502

SHA256
5affc1a22d87715d5da70bfddb081335ca0a382b9cc4a54e18263047a76d5d81

SHA512
a1ed751ba7518dcb2cf9ab821fa28690d8f4a41238e4b8d97b37c00eef5662147dea600c90a7192142808f6668f8d252372e0712415d0fb7b9d1faa53b2b7769

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9f01691

Filesize
2.1MB

MD5
c06d1d5407c2c731a72278b66c631818

SHA1
189536ac5b25b3acc067dd981970acd619b625d8

SHA256
04d758bc8b4bc247bd7862fce020fa00467517838ee9f4ce9701cfb38e8eaf7b

SHA512
0ab5a8af1608ca8f9e0c6bae2dea16d41efa75ddc5d8b9a4247a1b29ad26cf499649c861020c4a25901af62aa3b662e226ac5da767476a37483d5073aa58b2a2

Download Submit
memory/1436-19-0x00007FFDDDA40000-0x00007FFDDDC49000-memory.dmp

Filesize
2.0MB

Download
memory/1436-28-0x0000000000EA0000-0x00000000010E5000-memory.dmp

Filesize
2.3MB

Download
memory/3768-0-0x00007FFDCEAA0000-0x00007FFDCEC1A000-memory.dmp

Filesize
1.5MB

Download
memory/3768-4-0x00007FFDCEAA0000-0x00007FFDCEC1A000-memory.dmp

Filesize
1.5MB

Download
memory/3768-5-0x00007FFDCEAA0000-0x00007FFDCEC1A000-memory.dmp

Filesize
1.5MB

Download
memory/3956-8-0x00007FFDDDA40000-0x00007FFDDDC49000-memory.dmp

Filesize
2.0MB

Download
memory/3956-11-0x00000000749C0000-0x0000000074B3D000-memory.dmp

Filesize
1.5MB

Download
memory/3956-12-0x00000000749C0000-0x0000000074B3D000-memory.dmp

Filesize
1.5MB

Download
memory/3956-17-0x00000000749C0000-0x0000000074B3D000-memory.dmp

Filesize
1.5MB

Download