Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
10-10-2021 11:49
Static task
static1
Behavioral task
behavioral1
Sample
271c8cd98ea973ac6f624d19208659fa.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
271c8cd98ea973ac6f624d19208659fa.exe
-
Size
770KB
-
MD5
271c8cd98ea973ac6f624d19208659fa
-
SHA1
23f8fe53a722a3684dd81e652ce1612940041423
-
SHA256
039319cf3944c2873517912d91bd02c48a634c36ef69acab04e54d1ce07685c1
-
SHA512
df185d1934b12c6dc748caf83caec78d56a82067eb4f55912a7bd9953d44e58707396c8dc4812f770fcd2ec2fbf809c0dea0f77fb89f8d7e0353802a981a62ee
Malware Config
Extracted
Family
vidar
Version
41.2
Botnet
1008
C2
https://mas.to/@serg4325
Attributes
-
profile_id
1008
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2004-55-0x0000000001740000-0x0000000001816000-memory.dmp family_vidar behavioral1/memory/2004-56-0x0000000000400000-0x0000000001734000-memory.dmp family_vidar -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1932 2004 WerFault.exe 271c8cd98ea973ac6f624d19208659fa.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1932 WerFault.exe 1932 WerFault.exe 1932 WerFault.exe 1932 WerFault.exe 1932 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1932 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1932 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
271c8cd98ea973ac6f624d19208659fa.exedescription pid process target process PID 2004 wrote to memory of 1932 2004 271c8cd98ea973ac6f624d19208659fa.exe WerFault.exe PID 2004 wrote to memory of 1932 2004 271c8cd98ea973ac6f624d19208659fa.exe WerFault.exe PID 2004 wrote to memory of 1932 2004 271c8cd98ea973ac6f624d19208659fa.exe WerFault.exe PID 2004 wrote to memory of 1932 2004 271c8cd98ea973ac6f624d19208659fa.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\271c8cd98ea973ac6f624d19208659fa.exe"C:\Users\Admin\AppData\Local\Temp\271c8cd98ea973ac6f624d19208659fa.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 8722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1932-57-0x0000000000000000-mapping.dmp
-
memory/1932-58-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/2004-53-0x000000000187B000-0x00000000018F8000-memory.dmpFilesize
500KB
-
memory/2004-54-0x0000000075C11000-0x0000000075C13000-memory.dmpFilesize
8KB
-
memory/2004-55-0x0000000001740000-0x0000000001816000-memory.dmpFilesize
856KB
-
memory/2004-56-0x0000000000400000-0x0000000001734000-memory.dmpFilesize
19.2MB