Behavioral Report

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-en-20211208
submitted
15-02-2022 06:13

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe
Size

675KB
MD5

cef76d7fba522e19ac03269b6275ff3f
SHA1

81cbb61d06fcd512081a5dac97a7865d98d7a22b
SHA256

c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d
SHA512

e4728e26ab451ec452fbb5b61fbc7efe4c7e3c138cb91ed2a4bb75a339bf2ee1cdee9f7fa0c03fb398fea3c6dd87c5075bff0095b6e55811198865550bdab33a

Score

10^/10

vidar 937 stealer

Malware Config

Extracted

Family

vidar

Version

48.1

Botnet

937

https://koyu.space/@rspich

Attributes

profile_id
937

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer ⋅ 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1148-57-0x00000000004E0000-0x00000000005B5000-memory.dmp	family_vidar
behavioral1/memory/1148-58-0x0000000000400000-0x00000000004D8000-memory.dmp	family_vidar

Program crash ⋅ 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2044 1148 WerFault.exe c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe
Suspicious behavior: EnumeratesProcesses ⋅ 5 IoCs

Processes:

WerFault.exe

pid process

2044 WerFault.exe
2044 WerFault.exe
2044 WerFault.exe
2044 WerFault.exe
2044 WerFault.exe
Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 2044 WerFault.exe

pid	pid_target	process	target process
2044	1148	WerFault.exe	c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe

pid	process
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	2044	WerFault.exe

Suspicious use of WriteProcessMemory ⋅ 4 IoCs

Processes:

c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe

description	pid	process	target process
PID 1148 wrote to memory of 2044	1148	c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe	WerFault.exe
PID 1148 wrote to memory of 2044	1148	c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe	WerFault.exe
PID 1148 wrote to memory of 2044	1148	c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe	WerFault.exe
PID 1148 wrote to memory of 2044	1148	c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe

"C:\Users\Admin\AppData\Local\Temp\c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe"

Suspicious use of WriteProcessMemory

PID:1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1364

Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:2044

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

memory/1148-55-0x0000000076511000-0x0000000076513000-memory.dmp

Filesize
8KB

Download
memory/1148-56-0x0000000000310000-0x000000000038B000-memory.dmp

Filesize
492KB

Download
memory/1148-57-0x00000000004E0000-0x00000000005B5000-memory.dmp

Filesize
852KB

Download
memory/1148-58-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2044-59-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download