Analysis
-
max time kernel
65s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-09-2021 14:31
General
-
Target
0c55d2f909695e522759043833539287910b717860d22f1dbc007f2055a07127.exe
-
Size
594KB
-
MD5
c25627d082399616d43b9ff5c66de1df
-
SHA1
0d31624229601b16d037e22f8a204d3701d7540a
-
SHA256
0c55d2f909695e522759043833539287910b717860d22f1dbc007f2055a07127
-
SHA512
ee854ed5325c8de6aa68c9a3625d0e56d37f40302f1525c31df75b273bc12c59a46bd5bd736400821596b8fe068ef12a67900abaf06dafdec98c7f891f6bca09
Malware Config
Extracted
vidar
26.1
237
http://centos10.com/
-
profile_id
237
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
Vidar Stealer 2 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c55d2f909695e522759043833539287910b717860d22f1dbc007f2055a07127.exe"C:\Users\Admin\AppData\Local\Temp\0c55d2f909695e522759043833539287910b717860d22f1dbc007f2055a07127.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 0c55d2f909695e522759043833539287910b717860d22f1dbc007f2055a07127.exe /f & erase C:\Users\Admin\AppData\Local\Temp\0c55d2f909695e522759043833539287910b717860d22f1dbc007f2055a07127.exe & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 0c55d2f909695e522759043833539287910b717860d22f1dbc007f2055a07127.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/628-116-0x0000000000000000-mapping.dmp
-
memory/992-114-0x0000000002210000-0x0000000002299000-memory.dmpFilesize
548KB
-
memory/992-115-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/2652-117-0x0000000000000000-mapping.dmp