vidar | 0f607419c8b451afe789cc226345c33ed0370fc0ec670171676d74f8ff1d44e9

Analysis

max time kernel
23s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

780.4MB
MD5

828cfb01ed3c8a4fbe4960bc43bb3034
SHA1

cb44421d5eaa4930e115bc9c41803e3d04cc319c
SHA256

0f607419c8b451afe789cc226345c33ed0370fc0ec670171676d74f8ff1d44e9
SHA512

1bedd5815ad14aa2298bff7f82e33a63358e99c107cecf8f5c0c7a8fd2fcc1ea9598b3dea519e89949d815166138a984dc721df55904329fa2b76dae527f86c7
SSDEEP

196608:jjrU7vglcF8zp0zKmSMc8lhjjk3D1GMGMGMGMGMGMGMGMGMGMGMGMGMGMGMGMGMF:jRyDSMxfoTM6

Score

10^/10

vidar 97b92d10859a319d8736cd53ff3f8868 stealer

Malware Config

Extracted

Family

vidar

Version

7.8

Botnet

97b92d10859a319d8736cd53ff3f8868

http://5.252.118.12:80

https://t.me/voolkisms

https://t.me/karl3on

https://steamcommunity.com/profiles/76561199637071579

Attributes

profile_id_v2
97b92d10859a319d8736cd53ff3f8868
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Signatures

Detect Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2140-2-0x0000000000190000-0x0000000000BBD000-memory.dmp	family_vidar_v7
behavioral1/memory/2140-40-0x0000000000190000-0x0000000000BBD000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

812 2140 WerFault.exe Setup.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Setup.exe

pid process

2140 Setup.exe

pid	pid_target	process	target process
812	2140	WerFault.exe	Setup.exe

pid	process
2140	Setup.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Setup.exe

description	pid	process	target process
PID 2140 wrote to memory of 812	2140	Setup.exe	WerFault.exe
PID 2140 wrote to memory of 812	2140	Setup.exe	WerFault.exe
PID 2140 wrote to memory of 812	2140	Setup.exe	WerFault.exe
PID 2140 wrote to memory of 812	2140	Setup.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 932
2⤵
- Program crash
PID:812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2140-36-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2140-34-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2140-31-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2140-29-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2140-26-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2140-24-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2140-21-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2140-19-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2140-16-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2140-14-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2140-12-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2140-11-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2140-9-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2140-7-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2140-6-0x0000000077140000-0x0000000077141000-memory.dmp

Filesize
4KB

Download
memory/2140-5-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2140-3-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2140-2-0x0000000000190000-0x0000000000BBD000-memory.dmp

Filesize
10.2MB

Download
memory/2140-0-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2140-40-0x0000000000190000-0x0000000000BBD000-memory.dmp

Filesize
10.2MB

Download