Overview

overview

10

Static

static

d790fed581...b2.exe

windows7_x64

10

d790fed581...b2.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    114s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    21-03-2022 16:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d790fed581ba982731fc4257763d93b2.exe

  • Size

    1.9MB

  • MD5

    d790fed581ba982731fc4257763d93b2

  • SHA1

    f91dbf1e6e81b266a1cfa1fe307fcd3b9d491b27

  • SHA256

    aebfbaf72b832cf446789cedf82459f71587f48b2d44998d64215fafaf4b5fb6

  • SHA512

    a207b39908c480c25c7d33b56ed6b6f6a3c16ff5624d12537bac6972a847ae7cb82736b5d52dcae25e36494e6144309101e177fde5a2c42bc23ae59dd4c150b1

Score
10/10
vidar909stealer

Malware Config

Extracted

Family

vidar

Version

50.8

Botnet

909

C2

https://ieji.de/@sam7al

https://ru.social/@s4m74l
Attributes
  • profile_id

    909

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 3 IoCs
    stealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 62 IoCs
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d790fed581ba982731fc4257763d93b2.exe
    "C:\Users\Admin\AppData\Local\Temp\d790fed581ba982731fc4257763d93b2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Windows\SysWOW64\fsutil.exe
      "C:\Windows\SysWOW64\fsutil.exe"
      2⤵
        PID:4028
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 440
          3⤵
          • Program crash
          PID:4172
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2964
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4028 -ip 4028
      1⤵
        PID:2296

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/648-145-0x0000000005230000-0x00000000052CC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/648-135-0x0000000000750000-0x000000000093E000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/648-136-0x0000000005320000-0x00000000053BC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/648-137-0x0000000005970000-0x0000000005F14000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/648-138-0x00000000053C0000-0x0000000005452000-memory.dmp
        Filesize

        584KB

        Download
      • memory/648-139-0x0000000005230000-0x00000000052CC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/648-140-0x00000000052E0000-0x00000000052EA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/648-141-0x00000000055B0000-0x0000000005606000-memory.dmp
        Filesize

        344KB

        Download
      • memory/648-134-0x0000000074FA0000-0x0000000075750000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/648-149-0x0000000071100000-0x0000000071112000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2964-152-0x000001BB395C0000-0x000001BB395C4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2964-154-0x000001BB39890000-0x000001BB39894000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2964-157-0x000001BB39860000-0x000001BB39864000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2964-156-0x000001BB39920000-0x000001BB39924000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2964-155-0x000001BB39890000-0x000001BB39894000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2964-143-0x000001BB36C60000-0x000001BB36C70000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2964-150-0x000001BB395C0000-0x000001BB395C4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2964-151-0x000001BB395C0000-0x000001BB395C4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2964-142-0x000001BB363A0000-0x000001BB363B0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2964-153-0x000001BB394D0000-0x000001BB394D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2964-144-0x000001BB39220000-0x000001BB39224000-memory.dmp
        Filesize

        16KB

        Download
      • memory/4028-148-0x0000000000400000-0x00000000004B1000-memory.dmp
        Filesize

        708KB

        Download
      • memory/4028-147-0x0000000000400000-0x00000000004B1000-memory.dmp
        Filesize

        708KB

        Download
      • memory/4028-146-0x0000000000400000-0x00000000004B1000-memory.dmp
        Filesize

        708KB

        Download