vidar | aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede

Analysis

max time kernel
194s
max time network
256s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29/04/2024, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe
Size

244KB
MD5

94d71d66415166e8ca9d01f0de2f6422
SHA1

c5dc1afe7fede3032b2cd376f0e9ed5a36fd5c5f
SHA256

aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede
SHA512

11acbbc531a489486a3cb5fdfed5fe2d89fac12337a88bef0004548ad34875e91448010ab28d918bfc7184d11e654607d4903738c04aae3b7f0124d0f3feec41
SSDEEP

3072:YsAeBz6deFpZ1ef943/mvHk0wp03I0xps+Ca+zkOJ7UI7eTlFZ38e39mXJbac0jo:wT6Z1BmvZ20BaTXUzTPpkZbZ0j01

Score

10^/10

vidar stealer

Malware Config

Extracted

Family

vidar

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/4944-4-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4944-7-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4944-9-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 4944	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4396	1452	WerFault.exe	71
1204	4944	WerFault.exe	75

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 3156	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	73
PID 1452 wrote to memory of 3156	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	73
PID 1452 wrote to memory of 3156	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	73
PID 1452 wrote to memory of 4340	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	74
PID 1452 wrote to memory of 4340	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	74
PID 1452 wrote to memory of 4340	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	74
PID 1452 wrote to memory of 4944	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	75
PID 1452 wrote to memory of 4944	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	75
PID 1452 wrote to memory of 4944	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	75
PID 1452 wrote to memory of 4944	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	75
PID 1452 wrote to memory of 4944	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	75
PID 1452 wrote to memory of 4944	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	75
PID 1452 wrote to memory of 4944	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	75
PID 1452 wrote to memory of 4944	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	75
PID 1452 wrote to memory of 4944	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	75
PID 1452 wrote to memory of 4944	1452	aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe	75

C:\Users\Admin\AppData\Local\Temp\aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe
"C:\Users\Admin\AppData\Local\Temp\aff0f558c434e6f1926e5702d858dc4a33997ef37fc42b4121c167a0f2e94ede.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1992
    3⤵
    - Program crash
    PID:1204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 796
  2⤵
  - Program crash
  PID:4396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1452-0-0x0000000000690000-0x00000000006CE000-memory.dmp

Filesize
248KB

Download
memory/1452-1-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1452-10-0x00000000029F0000-0x00000000049F0000-memory.dmp

Filesize
32.0MB

Download
memory/1452-13-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1452-14-0x00000000029F0000-0x00000000049F0000-memory.dmp

Filesize
32.0MB

Download
memory/4944-4-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4944-7-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4944-9-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download