General
Target

c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe

Filesize

675KB

Completed

15-02-2022 06:15

Task

behavioral1

Score
10/10
MD5

cef76d7fba522e19ac03269b6275ff3f

SHA1

81cbb61d06fcd512081a5dac97a7865d98d7a22b

SHA256

c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d

SHA512

e4728e26ab451ec452fbb5b61fbc7efe4c7e3c138cb91ed2a4bb75a339bf2ee1cdee9f7fa0c03fb398fea3c6dd87c5075bff0095b6e55811198865550bdab33a

Malware Config

Extracted

Family

vidar

Version

48.1

Botnet

937

C2

https://koyu.space/@rspich

Attributes
profile_id
937
Signatures 6

Filter: none

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1148-57-0x00000000004E0000-0x00000000005B5000-memory.dmpfamily_vidar
    behavioral1/memory/1148-58-0x0000000000400000-0x00000000004D8000-memory.dmpfamily_vidar
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    20441148WerFault.exec7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2044WerFault.exe
  • Suspicious use of WriteProcessMemory
    c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1148 wrote to memory of 20441148c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exeWerFault.exe
    PID 1148 wrote to memory of 20441148c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exeWerFault.exe
    PID 1148 wrote to memory of 20441148c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exeWerFault.exe
    PID 1148 wrote to memory of 20441148c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exeWerFault.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe
    "C:\Users\Admin\AppData\Local\Temp\c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe"
    Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1364
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2044
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1148-55-0x0000000076511000-0x0000000076513000-memory.dmp

                          • memory/1148-56-0x0000000000310000-0x000000000038B000-memory.dmp

                          • memory/1148-57-0x00000000004E0000-0x00000000005B5000-memory.dmp

                          • memory/1148-58-0x0000000000400000-0x00000000004D8000-memory.dmp

                          • memory/2044-59-0x0000000000210000-0x0000000000211000-memory.dmp