vidar | fabac53ffc7381edddcaddca2c9b2d647dd30a2e66d62c3cca720349f1e66d4e | Triage

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 19:43

Sharing

Report Analysis Logs

General

Target

file.exe
Size

1.1MB
MD5

c7cb10eadcca31c88538f972fd657590
SHA1

9b09cdc280601e63579ae2cb64d863a0419d971c
SHA256

fabac53ffc7381edddcaddca2c9b2d647dd30a2e66d62c3cca720349f1e66d4e
SHA512

9d8efe2b42c5cc99fdc807a9b3d6628c39825b257aef9e81d4b9396b5d3b730307478c047764631fc6b646895c7e92052326dff6e1740fd2ba4eef7904224bd6
SSDEEP

24576:f26YE2EStbC19xq1a9GeWTaaQgUkSMnHJa:fHp19xq1a9QQMHJa

Score

10^/10

vidar stealer

Malware Config

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199677575543

https://t.me/snsb82

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Signatures

Detect Vidar Stealer 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4712-0-0x0000000000400000-0x000000000064A000-memory.dmp	family_vidar_v7
behavioral2/memory/4936-1-0x00000000005B0000-0x00000000006CA000-memory.dmp	family_vidar_v7
behavioral2/memory/4712-3-0x0000000000400000-0x000000000064A000-memory.dmp	family_vidar_v7
behavioral2/memory/4712-5-0x0000000000400000-0x000000000064A000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 4936 set thread context of 4712 4936 file.exe RegAsm.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3780 4936 WerFault.exe file.exe
3728 4712 WerFault.exe RegAsm.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

file.exe

description	pid	process	target process
PID 4936 wrote to memory of 4712	4936	file.exe	RegAsm.exe
PID 4936 wrote to memory of 4712	4936	file.exe	RegAsm.exe
PID 4936 wrote to memory of 4712	4936	file.exe	RegAsm.exe
PID 4936 wrote to memory of 4712	4936	file.exe	RegAsm.exe
PID 4936 wrote to memory of 4712	4936	file.exe	RegAsm.exe
PID 4936 wrote to memory of 4712	4936	file.exe	RegAsm.exe
PID 4936 wrote to memory of 4712	4936	file.exe	RegAsm.exe
PID 4936 wrote to memory of 4712	4936	file.exe	RegAsm.exe
PID 4936 wrote to memory of 4712	4936	file.exe	RegAsm.exe
PID 4936 wrote to memory of 4712	4936	file.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 2100
3⤵
- Program crash
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 332
2⤵
- Program crash
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4936 -ip 4936
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4712 -ip 4712
1⤵
PID:4112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4712-0-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/4712-3-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/4712-5-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/4936-1-0x00000000005B0000-0x00000000006CA000-memory.dmp

Filesize
1.1MB

Download