Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
14-10-2021 11:21
Static task
static1
Behavioral task
behavioral1
Sample
ba1db6e8623f5d616b06bc749b21b6e0.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
ba1db6e8623f5d616b06bc749b21b6e0.exe
-
Size
742KB
-
MD5
ba1db6e8623f5d616b06bc749b21b6e0
-
SHA1
784b43d378764435fb0b334662d2be8ef71dac07
-
SHA256
611796a36903059a2d1725d7849a375b9aa2902254c0d5f5fa2122e83570ea3a
-
SHA512
9fff1d772d9799e833020aa2063e7652795bb077f50b3d18ae49fb1a0c88a800d500f38bb72161dba9a9918ec90757868fd2715cd6e318607ad7efc58d0f8dd9
Malware Config
Extracted
Family
vidar
Version
41.3
Botnet
1008
C2
https://mas.to/@oleg98
Attributes
-
profile_id
1008
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1092-56-0x00000000002F0000-0x00000000003C6000-memory.dmp family_vidar behavioral1/memory/1092-57-0x0000000000400000-0x000000000172D000-memory.dmp family_vidar -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1492 1092 WerFault.exe ba1db6e8623f5d616b06bc749b21b6e0.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1492 WerFault.exe 1492 WerFault.exe 1492 WerFault.exe 1492 WerFault.exe 1492 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1492 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1492 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ba1db6e8623f5d616b06bc749b21b6e0.exedescription pid process target process PID 1092 wrote to memory of 1492 1092 ba1db6e8623f5d616b06bc749b21b6e0.exe WerFault.exe PID 1092 wrote to memory of 1492 1092 ba1db6e8623f5d616b06bc749b21b6e0.exe WerFault.exe PID 1092 wrote to memory of 1492 1092 ba1db6e8623f5d616b06bc749b21b6e0.exe WerFault.exe PID 1092 wrote to memory of 1492 1092 ba1db6e8623f5d616b06bc749b21b6e0.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba1db6e8623f5d616b06bc749b21b6e0.exe"C:\Users\Admin\AppData\Local\Temp\ba1db6e8623f5d616b06bc749b21b6e0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 8682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1092-54-0x000000000180B000-0x0000000001887000-memory.dmpFilesize
496KB
-
memory/1092-55-0x0000000074B41000-0x0000000074B43000-memory.dmpFilesize
8KB
-
memory/1092-56-0x00000000002F0000-0x00000000003C6000-memory.dmpFilesize
856KB
-
memory/1092-57-0x0000000000400000-0x000000000172D000-memory.dmpFilesize
19.2MB
-
memory/1492-58-0x0000000000000000-mapping.dmp
-
memory/1492-59-0x0000000000620000-0x0000000000621000-memory.dmpFilesize
4KB