Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-05-2021 09:02
Static task
static1
Behavioral task
behavioral1
Sample
bbffc3df8804d72ec64bf851e316b233.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
bbffc3df8804d72ec64bf851e316b233.exe
-
Size
681KB
-
MD5
bbffc3df8804d72ec64bf851e316b233
-
SHA1
45dcfb6bcb80179a6d4324f2c574da9320943c99
-
SHA256
e9a341bafeaba15c7e73a7ebb64f2c6463f23f6fbb83417943b4429ef00ab00e
-
SHA512
85484e2a447d5862efda0e8ad4d3d865959769259b3b41bc61af1d52d48a37b2ab40284b6af7a27b3a626af9c999e3962a46f84fa214a65a3c19823a7a6b06dd
Malware Config
Extracted
Family
vidar
Version
38.7
Botnet
890
C2
https://HAL9THapi.faceit.comramilgame
Attributes
-
profile_id
890
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 668 created 804 668 WerFault.exe bbffc3df8804d72ec64bf851e316b233.exe -
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/804-114-0x0000000000760000-0x00000000007F7000-memory.dmp family_vidar behavioral2/memory/804-115-0x0000000000400000-0x00000000004C0000-memory.dmp family_vidar -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 668 804 WerFault.exe bbffc3df8804d72ec64bf851e316b233.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 668 WerFault.exe Token: SeBackupPrivilege 668 WerFault.exe Token: SeDebugPrivilege 668 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbffc3df8804d72ec64bf851e316b233.exe"C:\Users\Admin\AppData\Local\Temp\bbffc3df8804d72ec64bf851e316b233.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 13802⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken