General
Target

4ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff.exe

Filesize

618KB

Completed

15-02-2022 13:33

Task

behavioral1

Score
10/10
MD5

353a21b3835ac7c17a82af79302d23cc

SHA1

03e96fc686cc15a0bb26186ecb4fe63e6b841c4b

SHA256

4ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff

SHA512

fccacf9a70f9151f081caa6c2d32c2cee3fb3e3c95ce10ee5c632f3007f54c5513b024fc10c9abc9eb9c7703e197360d569040ec3e47d182a123079cba0743dc

Malware Config

Extracted

Family

vidar

Version

41.7

Botnet

937

C2

https://mas.to/@lenka51

Attributes
profile_id
937
Signatures 6

Filter: none

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1312-57-0x0000000000660000-0x0000000000736000-memory.dmpfamily_vidar
    behavioral1/memory/1312-58-0x0000000000400000-0x00000000004D9000-memory.dmpfamily_vidar
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    9481312WerFault.exe4ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    948WerFault.exe
    948WerFault.exe
    948WerFault.exe
    948WerFault.exe
    948WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege948WerFault.exe
  • Suspicious use of WriteProcessMemory
    4ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1312 wrote to memory of 94813124ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff.exeWerFault.exe
    PID 1312 wrote to memory of 94813124ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff.exeWerFault.exe
    PID 1312 wrote to memory of 94813124ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff.exeWerFault.exe
    PID 1312 wrote to memory of 94813124ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff.exeWerFault.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\4ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff.exe
    "C:\Users\Admin\AppData\Local\Temp\4ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff.exe"
    Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1324
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:948
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/948-59-0x0000000000310000-0x0000000000311000-memory.dmp

                          • memory/1312-55-0x0000000075801000-0x0000000075803000-memory.dmp

                          • memory/1312-56-0x00000000002F0000-0x000000000036C000-memory.dmp

                          • memory/1312-57-0x0000000000660000-0x0000000000736000-memory.dmp

                          • memory/1312-58-0x0000000000400000-0x00000000004D9000-memory.dmp