Analysis
-
max time kernel
131s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
13-10-2021 09:35
Static task
static1
Behavioral task
behavioral1
Sample
bc8f0bfb94d9a4455282bb072b79e858.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
bc8f0bfb94d9a4455282bb072b79e858.exe
-
Size
683KB
-
MD5
bc8f0bfb94d9a4455282bb072b79e858
-
SHA1
bb004397b82ba101f65a6aa9e8c7533061c01e2b
-
SHA256
1fbbaa6cfa20d6e11a3e5e4ba0702f608d474cbf5a86eef891fb57a671c684be
-
SHA512
60a40427f9011abc97e48dace42c8b0d9f39b1416e0d8dd27bab1110d99248fb8e273bd4218b8427bf6a4525c6d157b021703e43d5c5473d95f26f6e7d5ef1ad
Malware Config
Extracted
Family
vidar
Version
41.3
Botnet
1008
C2
https://mas.to/@oleg98
Attributes
-
profile_id
1008
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1596-57-0x0000000000400000-0x00000000004D9000-memory.dmp family_vidar behavioral1/memory/1596-56-0x0000000000550000-0x0000000000626000-memory.dmp family_vidar -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 300 1596 WerFault.exe bc8f0bfb94d9a4455282bb072b79e858.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 300 WerFault.exe 300 WerFault.exe 300 WerFault.exe 300 WerFault.exe 300 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 300 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 300 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bc8f0bfb94d9a4455282bb072b79e858.exedescription pid process target process PID 1596 wrote to memory of 300 1596 bc8f0bfb94d9a4455282bb072b79e858.exe WerFault.exe PID 1596 wrote to memory of 300 1596 bc8f0bfb94d9a4455282bb072b79e858.exe WerFault.exe PID 1596 wrote to memory of 300 1596 bc8f0bfb94d9a4455282bb072b79e858.exe WerFault.exe PID 1596 wrote to memory of 300 1596 bc8f0bfb94d9a4455282bb072b79e858.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc8f0bfb94d9a4455282bb072b79e858.exe"C:\Users\Admin\AppData\Local\Temp\bc8f0bfb94d9a4455282bb072b79e858.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 7722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/300-58-0x0000000000000000-mapping.dmp
-
memory/300-59-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1596-54-0x00000000002C8000-0x0000000000345000-memory.dmpFilesize
500KB
-
memory/1596-55-0x00000000757B1000-0x00000000757B3000-memory.dmpFilesize
8KB
-
memory/1596-57-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB
-
memory/1596-56-0x0000000000550000-0x0000000000626000-memory.dmpFilesize
856KB