vidar | fabac53ffc7381edddcaddca2c9b2d647dd30a2e66d62c3cca720349f1e66d4e | Triage

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 19:43

Sharing

Report Analysis Logs

General

Target

file.exe
Size

1.1MB
MD5

c7cb10eadcca31c88538f972fd657590
SHA1

9b09cdc280601e63579ae2cb64d863a0419d971c
SHA256

fabac53ffc7381edddcaddca2c9b2d647dd30a2e66d62c3cca720349f1e66d4e
SHA512

9d8efe2b42c5cc99fdc807a9b3d6628c39825b257aef9e81d4b9396b5d3b730307478c047764631fc6b646895c7e92052326dff6e1740fd2ba4eef7904224bd6
SSDEEP

24576:f26YE2EStbC19xq1a9GeWTaaQgUkSMnHJa:fHp19xq1a9QQMHJa

Score

10^/10

vidar stealer

Malware Config

Signatures

Detect Vidar Stealer 1 IoCs

resource	yara_rule
behavioral1/memory/1084-0-0x0000000000310000-0x000000000042A000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2248	1084	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2248	1084	file.exe	28
PID 1084 wrote to memory of 2248	1084	file.exe	28
PID 1084 wrote to memory of 2248	1084	file.exe	28
PID 1084 wrote to memory of 2248	1084	file.exe	28

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 116
  2⤵
  - Program crash
  PID:2248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1084-0-0x0000000000310000-0x000000000042A000-memory.dmp

Filesize
1.1MB

Download