vidar | 9ce8c75892fbdc4793558467d98e05b17459cdce4078b0fb7c270495d195d747

Analysis

max time kernel
67s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 19:27

Target

payload.exe
Size

422KB
MD5

03750d84804cd05a1e7366dd52e67f71
SHA1

c64e12d70a131e168d54e4074c3a11668779381d
SHA256

9ce8c75892fbdc4793558467d98e05b17459cdce4078b0fb7c270495d195d747
SHA512

bcffeebef54e05fac8b7ef3c8d491a686c8de0f5a00f8bf94f9486fb5091e1a916bc491256bf58a6751f9d128c4d9148bad97a3d459976862f26104d6988e4f7
SSDEEP

6144:29KDb7RpkvFCCTnOPivspTpwlHe6EiZ1gFrzTt8ceX7seXztApIvejJXcxQC:zb7RpkMCsppwlRgFXG9XdtOp5ciC

Score

10^/10

vidar stealer

Family

vidar

https://steamcommunity.com/profiles/76561199677575543

https://t.me/snsb82

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3892-0-0x0000000000BB0000-0x0000000000C1E000-memory.dmp	family_vidar_v7
behavioral2/memory/3892-2-0x0000000000BB0000-0x0000000000C1E000-memory.dmp	family_vidar_v7
behavioral2/memory/3748-1-0x0000000000400000-0x000000000064A000-memory.dmp	family_vidar_v7
behavioral2/memory/3748-4-0x0000000000400000-0x000000000064A000-memory.dmp	family_vidar_v7
behavioral2/memory/3748-6-0x0000000000400000-0x000000000064A000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Suspicious use of SetThreadContext 1 IoCs

Processes:

payload.exe

description pid process target process

PID 3892 set thread context of 3748 3892 payload.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

540 3748 WerFault.exe RegAsm.exe

description	pid	process	target process
PID 3892 set thread context of 3748	3892	payload.exe	RegAsm.exe

pid	pid_target	process	target process
540	3748	WerFault.exe	RegAsm.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

payload.exe

description	pid	process	target process
PID 3892 wrote to memory of 3748	3892	payload.exe	RegAsm.exe
PID 3892 wrote to memory of 3748	3892	payload.exe	RegAsm.exe
PID 3892 wrote to memory of 3748	3892	payload.exe	RegAsm.exe
PID 3892 wrote to memory of 3748	3892	payload.exe	RegAsm.exe
PID 3892 wrote to memory of 3748	3892	payload.exe	RegAsm.exe
PID 3892 wrote to memory of 3748	3892	payload.exe	RegAsm.exe
PID 3892 wrote to memory of 3748	3892	payload.exe	RegAsm.exe
PID 3892 wrote to memory of 3748	3892	payload.exe	RegAsm.exe
PID 3892 wrote to memory of 3748	3892	payload.exe	RegAsm.exe
PID 3892 wrote to memory of 3748	3892	payload.exe	RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1468
3⤵
- Program crash
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3748 -ip 3748
1⤵
PID:4504

memory/3748-1-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/3748-4-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/3748-6-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/3892-0-0x0000000000BB0000-0x0000000000C1E000-memory.dmp

Filesize
440KB

Download
memory/3892-2-0x0000000000BB0000-0x0000000000C1E000-memory.dmp

Filesize
440KB

Download