vidar | cd53d2bae5ec8268dfe72cdea2f284d4a4d99a8a6714d18d89dd25119921ec6a

Analysis

max time kernel
134s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe
Size

224KB
MD5

769c8ad3f187882a49cda5d26103730c
SHA1

dae972d44336ffbb28509eabe946e83972166502
SHA256

5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e
SHA512

08a5f80741ea4b0325efe15ad69feb44f4ea1a8ace70f072109f4ec19ad4bc56185aa5f3f734b03906ad3691f9cae43aea3a4ba88e507f97a753e11ca913669c
SSDEEP

3072:Q52Gig7F8wUC1mK2iKkb8YxhX7EQXdeBvR/P4ieqSgvBEn/zcAGqxp6qUDbKSB/:sdF8l9sKqHbYQU/BSg5En/zqq/6qU/

Score

10^/10

vidar e1d2225c9e4727fe2818a17924d7e065 stealer

Malware Config

Extracted

Family

vidar

Version

8.5

Botnet

e1d2225c9e4727fe2818a17924d7e065

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

profile_id_v2
e1d2225c9e4727fe2818a17924d7e065
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/1584-4-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-7-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-11-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4760 set thread context of 1584	4760	5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe	96

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4640	1584	WerFault.exe	96

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 1584	4760	5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe	96
PID 4760 wrote to memory of 1584	4760	5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe	96
PID 4760 wrote to memory of 1584	4760	5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe	96
PID 4760 wrote to memory of 1584	4760	5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe	96
PID 4760 wrote to memory of 1584	4760	5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe	96
PID 4760 wrote to memory of 1584	4760	5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe	96
PID 4760 wrote to memory of 1584	4760	5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe	96
PID 4760 wrote to memory of 1584	4760	5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe	96
PID 4760 wrote to memory of 1584	4760	5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe	96
PID 4760 wrote to memory of 1584	4760	5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe	96

C:\Users\Admin\AppData\Local\Temp\5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe
"C:\Users\Admin\AppData\Local\Temp\5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 2212
    3⤵
    - Program crash
    PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1584 -ip 1584
1⤵
PID:2884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-4-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/1584-7-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/1584-11-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/4760-1-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/4760-0-0x00000000003F0000-0x000000000042E000-memory.dmp

Filesize
248KB

Download
memory/4760-10-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/4760-12-0x00000000027D0000-0x00000000047D0000-memory.dmp

Filesize
32.0MB

Download
memory/4760-16-0x00000000027D0000-0x00000000047D0000-memory.dmp

Filesize
32.0MB

Download