Analysis
-
max time kernel
129s -
max time network
128s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
01-12-2021 07:59
Static task
static1
Behavioral task
behavioral1
Sample
#Encoder_n2.bin.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
General
-
Target
#Encoder_n2.bin.exe
-
Size
722KB
-
MD5
bc8eaaafd8feb26a72f74dcdb99c7865
-
SHA1
818aa87338d4df601db15f976b70b016e2e23d06
-
SHA256
9d4f3c4a7bce15559a9501b2c7d2ecf8f005a1b325dd407dff8054ed0e3e9b17
-
SHA512
c49c05d3663529b949863cb714d3cbfe7869551e4a6b57dc5281c7ba569fe1c90481a135fb689edf8bd7121b48fd78eb9efe2a0d8960023d161ec0f47f5bfcad
Malware Config
Extracted
Family
vidar
Version
48.7
Botnet
517
C2
https://mstdn.social/@anapa
https://mastodon.social/@mniami
Attributes
-
profile_id
517
Signatures
-
Vidar Stealer 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2564-119-0x0000000000400000-0x00000000004D8000-memory.dmp family_vidar behavioral2/memory/2564-120-0x00000000004A140D-mapping.dmp family_vidar behavioral2/memory/1692-121-0x00000000048C0000-0x0000000004995000-memory.dmp family_vidar behavioral2/memory/2564-122-0x0000000000400000-0x00000000004D8000-memory.dmp family_vidar -
Suspicious use of SetThreadContext 1 IoCs
Processes:
#Encoder_n2.bin.exedescription pid process target process PID 1692 set thread context of 2564 1692 #Encoder_n2.bin.exe #Encoder_n2.bin.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
#Encoder_n2.bin.exedescription pid process target process PID 1692 wrote to memory of 2564 1692 #Encoder_n2.bin.exe #Encoder_n2.bin.exe PID 1692 wrote to memory of 2564 1692 #Encoder_n2.bin.exe #Encoder_n2.bin.exe PID 1692 wrote to memory of 2564 1692 #Encoder_n2.bin.exe #Encoder_n2.bin.exe PID 1692 wrote to memory of 2564 1692 #Encoder_n2.bin.exe #Encoder_n2.bin.exe PID 1692 wrote to memory of 2564 1692 #Encoder_n2.bin.exe #Encoder_n2.bin.exe PID 1692 wrote to memory of 2564 1692 #Encoder_n2.bin.exe #Encoder_n2.bin.exe PID 1692 wrote to memory of 2564 1692 #Encoder_n2.bin.exe #Encoder_n2.bin.exe PID 1692 wrote to memory of 2564 1692 #Encoder_n2.bin.exe #Encoder_n2.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\#Encoder_n2.bin.exe"C:\Users\Admin\AppData\Local\Temp\#Encoder_n2.bin.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\#Encoder_n2.bin.exe"C:\Users\Admin\AppData\Local\Temp\#Encoder_n2.bin.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1692-118-0x0000000002E39000-0x0000000002EB6000-memory.dmpFilesize
500KB
-
memory/1692-121-0x00000000048C0000-0x0000000004995000-memory.dmpFilesize
852KB
-
memory/2564-119-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/2564-120-0x00000000004A140D-mapping.dmp
-
memory/2564-122-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB