General
Target

bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe

Filesize

679KB

Completed

15-02-2022 06:38

Task

behavioral1

Score
10/10
MD5

f4a9c73c92501f4ada0ad74830610e11

SHA1

f5755ba5404a3fc467f850ff2dd01e6d9fd228fd

SHA256

bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4

SHA512

7eb7d62d729b2d2dbacd89d6f2a3d94f053ee0336a413fef76effd3a6b445e9f0877c931bfda11ac3624a0bb8ce09268fac4fb637b7d0ea128342a3d9ac80d7c

Malware Config

Extracted

Family

vidar

Version

48.4

Botnet

937

C2

https://koyu.space/@qmashton

Attributes
profile_id
937
Signatures 7

Filter: none

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1916-56-0x00000000004E0000-0x00000000005B5000-memory.dmpfamily_vidar
    behavioral1/memory/1916-57-0x0000000000400000-0x00000000004D8000-memory.dmpfamily_vidar
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    15281916WerFault.exebd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    1528WerFault.exe
    1528WerFault.exe
    1528WerFault.exe
    1528WerFault.exe
    1528WerFault.exe
  • Suspicious behavior: GetForegroundWindowSpam
    WerFault.exe

    Reported IOCs

    pidprocess
    1528WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1528WerFault.exe
  • Suspicious use of WriteProcessMemory
    bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1916 wrote to memory of 15281916bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exeWerFault.exe
    PID 1916 wrote to memory of 15281916bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exeWerFault.exe
    PID 1916 wrote to memory of 15281916bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exeWerFault.exe
    PID 1916 wrote to memory of 15281916bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exeWerFault.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe
    "C:\Users\Admin\AppData\Local\Temp\bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe"
    Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1300
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1528
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1528-58-0x00000000003E0000-0x00000000003E1000-memory.dmp

                          • memory/1916-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

                          • memory/1916-55-0x0000000000290000-0x000000000030B000-memory.dmp

                          • memory/1916-56-0x00000000004E0000-0x00000000005B5000-memory.dmp

                          • memory/1916-57-0x0000000000400000-0x00000000004D8000-memory.dmp