General
Target

32057fad31bfb5015fc818847d245cd144a3c8166ae377cc4143ee5795ac06e5.exe

Filesize

655KB

Completed

15-02-2022 14:33

Task

behavioral1

Score
10/10
MD5

5214689cb18baecfe0267940ad845398

SHA1

919514c68f7e009ddbb523fc17bbb2ba5604cac4

SHA256

32057fad31bfb5015fc818847d245cd144a3c8166ae377cc4143ee5795ac06e5

SHA512

a2b18ac30bf332c5f473b48f6a570013dc9e8ec51ed212032253226d620a7b8018a05d018d8a0eea32e51ad5382b2b519d54da6bdebab8bae5f72664e8f500b9

Malware Config

Extracted

Family

vidar

Version

48.1

Botnet

937

C2

https://koyu.space/@rspich

Attributes
profile_id
937
Signatures 7

Filter: none

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1720-56-0x0000000001DB0000-0x0000000001E85000-memory.dmpfamily_vidar
    behavioral1/memory/1720-57-0x0000000000400000-0x00000000004D8000-memory.dmpfamily_vidar
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    15601720WerFault.exe32057fad31bfb5015fc818847d245cd144a3c8166ae377cc4143ee5795ac06e5.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    1560WerFault.exe
    1560WerFault.exe
    1560WerFault.exe
    1560WerFault.exe
    1560WerFault.exe
  • Suspicious behavior: GetForegroundWindowSpam
    WerFault.exe

    Reported IOCs

    pidprocess
    1560WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1560WerFault.exe
  • Suspicious use of WriteProcessMemory
    32057fad31bfb5015fc818847d245cd144a3c8166ae377cc4143ee5795ac06e5.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1720 wrote to memory of 1560172032057fad31bfb5015fc818847d245cd144a3c8166ae377cc4143ee5795ac06e5.exeWerFault.exe
    PID 1720 wrote to memory of 1560172032057fad31bfb5015fc818847d245cd144a3c8166ae377cc4143ee5795ac06e5.exeWerFault.exe
    PID 1720 wrote to memory of 1560172032057fad31bfb5015fc818847d245cd144a3c8166ae377cc4143ee5795ac06e5.exeWerFault.exe
    PID 1720 wrote to memory of 1560172032057fad31bfb5015fc818847d245cd144a3c8166ae377cc4143ee5795ac06e5.exeWerFault.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\32057fad31bfb5015fc818847d245cd144a3c8166ae377cc4143ee5795ac06e5.exe
    "C:\Users\Admin\AppData\Local\Temp\32057fad31bfb5015fc818847d245cd144a3c8166ae377cc4143ee5795ac06e5.exe"
    Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1296
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1560
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1560-58-0x00000000003A0000-0x00000000003A1000-memory.dmp

                          • memory/1720-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

                          • memory/1720-55-0x00000000002E0000-0x000000000035B000-memory.dmp

                          • memory/1720-56-0x0000000001DB0000-0x0000000001E85000-memory.dmp

                          • memory/1720-57-0x0000000000400000-0x00000000004D8000-memory.dmp