Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 06:35
Static task
static1
Behavioral task
behavioral1
Sample
bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe
Resource
win7-en-20211208
General
-
Target
bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe
-
Size
679KB
-
MD5
f4a9c73c92501f4ada0ad74830610e11
-
SHA1
f5755ba5404a3fc467f850ff2dd01e6d9fd228fd
-
SHA256
bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4
-
SHA512
7eb7d62d729b2d2dbacd89d6f2a3d94f053ee0336a413fef76effd3a6b445e9f0877c931bfda11ac3624a0bb8ce09268fac4fb637b7d0ea128342a3d9ac80d7c
Malware Config
Extracted
Family
vidar
Version
48.4
Botnet
937
C2
https://koyu.space/@qmashton
Attributes
-
profile_id
937
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1916-56-0x00000000004E0000-0x00000000005B5000-memory.dmp family_vidar behavioral1/memory/1916-57-0x0000000000400000-0x00000000004D8000-memory.dmp family_vidar -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1528 1916 WerFault.exe bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1528 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1528 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exedescription pid process target process PID 1916 wrote to memory of 1528 1916 bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe WerFault.exe PID 1916 wrote to memory of 1528 1916 bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe WerFault.exe PID 1916 wrote to memory of 1528 1916 bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe WerFault.exe PID 1916 wrote to memory of 1528 1916 bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe"C:\Users\Admin\AppData\Local\Temp\bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe"
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1300
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
00:00
00:00
Downloads
-
memory/1528-58-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1916-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1916-55-0x0000000000290000-0x000000000030B000-memory.dmpFilesize
492KB
-
memory/1916-56-0x00000000004E0000-0x00000000005B5000-memory.dmpFilesize
852KB
-
memory/1916-57-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB