Analysis
-
max time kernel
122s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 06:06
Static task
static1
Behavioral task
behavioral1
Sample
cba4bf2713f913043fd6aa5990aa937a470f48c11c3d0361fe1cb951d6a74c76.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
cba4bf2713f913043fd6aa5990aa937a470f48c11c3d0361fe1cb951d6a74c76.exe
-
Size
764KB
-
MD5
6803564f8d27498decae376b90142e4f
-
SHA1
41faef623fe7f6eaf120ac22d66e7c6fc1779db4
-
SHA256
cba4bf2713f913043fd6aa5990aa937a470f48c11c3d0361fe1cb951d6a74c76
-
SHA512
79b3e8eaa9539995738b281c842861f118e85449094ef8d8a7e5c4774bba1a3cfadc27fc88353b3411acbbef8780c7a0348545844d461e94751aed4ade8f3f29
Malware Config
Extracted
Family
vidar
Version
48.2
Botnet
937
C2
https://koyu.space/@qmashton
Attributes
-
profile_id
937
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/744-57-0x0000000004350000-0x0000000004425000-memory.dmp family_vidar behavioral1/memory/744-58-0x0000000000400000-0x00000000004D8000-memory.dmp family_vidar -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 992 744 WerFault.exe cba4bf2713f913043fd6aa5990aa937a470f48c11c3d0361fe1cb951d6a74c76.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 992 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 992 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cba4bf2713f913043fd6aa5990aa937a470f48c11c3d0361fe1cb951d6a74c76.exedescription pid process target process PID 744 wrote to memory of 992 744 cba4bf2713f913043fd6aa5990aa937a470f48c11c3d0361fe1cb951d6a74c76.exe WerFault.exe PID 744 wrote to memory of 992 744 cba4bf2713f913043fd6aa5990aa937a470f48c11c3d0361fe1cb951d6a74c76.exe WerFault.exe PID 744 wrote to memory of 992 744 cba4bf2713f913043fd6aa5990aa937a470f48c11c3d0361fe1cb951d6a74c76.exe WerFault.exe PID 744 wrote to memory of 992 744 cba4bf2713f913043fd6aa5990aa937a470f48c11c3d0361fe1cb951d6a74c76.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cba4bf2713f913043fd6aa5990aa937a470f48c11c3d0361fe1cb951d6a74c76.exe"C:\Users\Admin\AppData\Local\Temp\cba4bf2713f913043fd6aa5990aa937a470f48c11c3d0361fe1cb951d6a74c76.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 13082⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/744-54-0x00000000002EB000-0x0000000000367000-memory.dmpFilesize
496KB
-
memory/744-55-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/744-56-0x00000000002EB000-0x0000000000367000-memory.dmpFilesize
496KB
-
memory/744-57-0x0000000004350000-0x0000000004425000-memory.dmpFilesize
852KB
-
memory/744-58-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/992-59-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB