Analysis
-
max time kernel
122s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 08:04
Static task
static1
Behavioral task
behavioral1
Sample
9356506457dc510ea9bb2743be661106573beb605dc6127bbf0a82b524eb8c88.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
9356506457dc510ea9bb2743be661106573beb605dc6127bbf0a82b524eb8c88.exe
-
Size
3.6MB
-
MD5
81a66564a1a5c2c2b7189681326804aa
-
SHA1
ac5e9117eea3f03baaf261125492610ec0bbdeb8
-
SHA256
9356506457dc510ea9bb2743be661106573beb605dc6127bbf0a82b524eb8c88
-
SHA512
e445e8a7f61353036ffb8c0b38efb5945411b6c7ff58f7920aa6b9328616da5f1fc87894c6ddf301eaec1226c5ca766d7aaabe3bbe7de4fb6a0a3356e8b513ec
Malware Config
Extracted
Family
vidar
Version
48.1
Botnet
932
C2
https://koyu.space/@rspich
Attributes
-
profile_id
932
Signatures
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1932-56-0x0000000000400000-0x0000000000AF7000-memory.dmp family_vidar -
Processes:
resource yara_rule behavioral1/memory/1932-56-0x0000000000400000-0x0000000000AF7000-memory.dmp vmprotect -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 964 1932 WerFault.exe 9356506457dc510ea9bb2743be661106573beb605dc6127bbf0a82b524eb8c88.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 964 WerFault.exe 964 WerFault.exe 964 WerFault.exe 964 WerFault.exe 964 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 964 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9356506457dc510ea9bb2743be661106573beb605dc6127bbf0a82b524eb8c88.exedescription pid process target process PID 1932 wrote to memory of 964 1932 9356506457dc510ea9bb2743be661106573beb605dc6127bbf0a82b524eb8c88.exe WerFault.exe PID 1932 wrote to memory of 964 1932 9356506457dc510ea9bb2743be661106573beb605dc6127bbf0a82b524eb8c88.exe WerFault.exe PID 1932 wrote to memory of 964 1932 9356506457dc510ea9bb2743be661106573beb605dc6127bbf0a82b524eb8c88.exe WerFault.exe PID 1932 wrote to memory of 964 1932 9356506457dc510ea9bb2743be661106573beb605dc6127bbf0a82b524eb8c88.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9356506457dc510ea9bb2743be661106573beb605dc6127bbf0a82b524eb8c88.exe"C:\Users\Admin\AppData\Local\Temp\9356506457dc510ea9bb2743be661106573beb605dc6127bbf0a82b524eb8c88.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 13002⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken