vidar | 3bb6290b7c335b7f90db6abdfcaa730c2af0823532a7df5cef9012a215ed76e9

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f11a95f68fd8f807dd3636e5f795eb45_JaffaCakes118.exe
Size

721KB
MD5

f11a95f68fd8f807dd3636e5f795eb45
SHA1

453c11bb7d67b7dc577a41264162ea34d355da40
SHA256

3bb6290b7c335b7f90db6abdfcaa730c2af0823532a7df5cef9012a215ed76e9
SHA512

f1ab70c71bbc7490807d0b4e186aa6d7d591bbe5b3f60f0bb5139be37d90794b6357ea58ad21d2b558e495ec7d893355e94d6370e8510fb62ec1dcf9a0061dba
SSDEEP

12288:UMyH2eoTj4BSP6oMF40SqgkpCc9ATyZtWTpoJng1V98gPm8SN5bn+vwZGEX8cA0U:IHoT76oqCLTMtCwvNF+osEv

Score

10^/10

vidar 916 stealer

Malware Config

Extracted

Family

vidar

Version

41.5

Botnet

916

https://mas.to/@xeroxxx

Attributes

profile_id
916

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral1/memory/3008-2-0x0000000004840000-0x0000000004916000-memory.dmp	family_vidar
behavioral1/memory/3008-3-0x0000000000400000-0x0000000002F7C000-memory.dmp	family_vidar
behavioral1/memory/3008-19-0x0000000000400000-0x0000000002F7C000-memory.dmp	family_vidar
behavioral1/memory/3008-22-0x0000000004840000-0x0000000004916000-memory.dmp	family_vidar

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2704	3008	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2704	3008	f11a95f68fd8f807dd3636e5f795eb45_JaffaCakes118.exe	29
PID 3008 wrote to memory of 2704	3008	f11a95f68fd8f807dd3636e5f795eb45_JaffaCakes118.exe	29
PID 3008 wrote to memory of 2704	3008	f11a95f68fd8f807dd3636e5f795eb45_JaffaCakes118.exe	29
PID 3008 wrote to memory of 2704	3008	f11a95f68fd8f807dd3636e5f795eb45_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\f11a95f68fd8f807dd3636e5f795eb45_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f11a95f68fd8f807dd3636e5f795eb45_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 884
  2⤵
  - Program crash
  PID:2704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3008-1-0x0000000003020000-0x0000000003120000-memory.dmp

Filesize
1024KB

Download
memory/3008-2-0x0000000004840000-0x0000000004916000-memory.dmp

Filesize
856KB

Download
memory/3008-3-0x0000000000400000-0x0000000002F7C000-memory.dmp

Filesize
43.5MB

Download
memory/3008-19-0x0000000000400000-0x0000000002F7C000-memory.dmp

Filesize
43.5MB

Download
memory/3008-21-0x0000000003020000-0x0000000003120000-memory.dmp

Filesize
1024KB

Download
memory/3008-22-0x0000000004840000-0x0000000004916000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads