Analysis Overview
SHA256
b23b61cd59e29ffe5f204918dc720bf6f21278bc17e541613303727ccd8263b1
Threat Level: Known bad
The file update.bin (1).zip was found to be: Known bad.
Malicious Activity Summary
Vidar
MassLogger
Vidar log file
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Accesses 2FA software files, possible credential harvesting
Looks up external IP address via web service
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-12-03 18:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-12-03 18:27
Reported
2020-12-03 18:57
Platform
win10v20201028
Max time kernel
1727s
Max time network
1728s
Command Line
Signatures
MassLogger
Vidar
Vidar log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\update.bin.exe
"C:\Users\Admin\AppData\Local\Temp\update.bin.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
Files
memory/644-2-0x0000000002380000-0x0000000002381000-memory.dmp
memory/644-3-0x0000000002380000-0x0000000002381000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-12-03 18:27
Reported
2020-12-03 18:32
Platform
win10v20201028
Max time kernel
300s
Max time network
301s
Command Line
Signatures
MassLogger
Vidar
Vidar log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\update.bin.exe
"C:\Users\Admin\AppData\Local\Temp\update.bin.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
Files
memory/4804-2-0x00000000022A0000-0x00000000022A1000-memory.dmp
memory/4804-3-0x00000000022A0000-0x00000000022A1000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2020-12-03 18:27
Reported
2020-12-03 18:28
Platform
win10v20201028
Max time kernel
9s
Max time network
47s
Command Line
Signatures
MassLogger
Vidar
Vidar log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\update.bin.exe
"C:\Users\Admin\AppData\Local\Temp\update.bin.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | kolobkoproms.ug | udp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/1020-2-0x0000000002410000-0x0000000002411000-memory.dmp