vidar | e31bb5ae1331089d5eaed1923e2928bf37b2b609ce85d7fb6f5db3de17469a50

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462.exe
Size

234KB
MD5

7c665575a095a3d95e8fd3db9f68dbda
SHA1

9702fa88095963c1d336cd48bca362a2b33a530e
SHA256

be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462
SHA512

2d300feb63df4a08d5ff5e235cc2f6e2f293e3a19a012ee75a933e6992c09e6fb2964fcf5f7fd3443c7fff7a66291bfa4bb1acbc0d9bb9fdd1e36c266a59736f
SSDEEP

6144:TaYIfJebpHDjRu5Wh//MdHavp1RyPaBWuWR0PIDqmvYWx:3I+5EEwCpePae68Ws

Score

10^/10

vidar stealer

Malware Config

Extracted

Family

vidar

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/1220-5-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/1220-8-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/1220-10-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4136 set thread context of 1220	4136	be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462.exe	87

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3376	4136	WerFault.exe	85
4768	1220	WerFault.exe	87

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 1220	4136	be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462.exe	87
PID 4136 wrote to memory of 1220	4136	be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462.exe	87
PID 4136 wrote to memory of 1220	4136	be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462.exe	87
PID 4136 wrote to memory of 1220	4136	be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462.exe	87
PID 4136 wrote to memory of 1220	4136	be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462.exe	87
PID 4136 wrote to memory of 1220	4136	be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462.exe	87
PID 4136 wrote to memory of 1220	4136	be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462.exe	87
PID 4136 wrote to memory of 1220	4136	be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462.exe	87
PID 4136 wrote to memory of 1220	4136	be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462.exe	87
PID 4136 wrote to memory of 1220	4136	be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462.exe	87

C:\Users\Admin\AppData\Local\Temp\be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462.exe
"C:\Users\Admin\AppData\Local\Temp\be2346fa2bef1b558f011862043e37bf5cef8b2290202a64a450a08750820462.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 2172
    3⤵
    - Program crash
    PID:4768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 808
  2⤵
  - Program crash
  PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4136 -ip 4136
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1220 -ip 1220
1⤵
PID:5072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-5-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1220-8-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1220-10-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4136-0-0x0000000000A80000-0x0000000000ABC000-memory.dmp

Filesize
240KB

Download
memory/4136-1-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/4136-4-0x0000000002EF0000-0x0000000004EF0000-memory.dmp

Filesize
32.0MB

Download
memory/4136-12-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download