Analysis
-
max time kernel
4294219s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
24-03-2022 15:45
Static task
static1
Behavioral task
behavioral1
Sample
3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
Resource
win7-20220310-en
General
-
Target
3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
-
Size
2.7MB
-
MD5
b9e5e995024fe62b794d64f9a9fa4c4b
-
SHA1
37f08df51635d37df59129d5fef58acd82b5cee2
-
SHA256
3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066
-
SHA512
1b42289de9f7c2d3b9312965d19dfc6bb9a1bca9332d06ee6c5d79e915228c6e37f5e4e1bf5ae4579bad51808cee9e8224ee94a684dc0125223571580adc1291
Malware Config
Extracted
vidar
11.3
231
http://tonetm.com/
-
profile_id
231
Signatures
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1048-67-0x0000000000400000-0x0000000000593000-memory.dmp family_vidar -
Executes dropped EXE 2 IoCs
Processes:
YoutubeDownloader.exebinhost.exepid process 1920 YoutubeDownloader.exe 1048 binhost.exe -
Loads dropped DLL 5 IoCs
Processes:
3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exeYoutubeDownloader.exepid process 1776 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe 1776 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe 1776 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe 1920 YoutubeDownloader.exe 1920 YoutubeDownloader.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Drops file in Program Files directory 17 IoCs
Processes:
3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exedescription ioc process File created C:\Program Files (x86)\LetsSee!\Uninstall.ini 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\GalaSoft.MvvmLight.dll 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\YoutubeExplode.dll 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\MaterialDesignThemes.Wpf.dll 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\binhost.exe 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\Tyrrrz.Extensions.dll 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe.config 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\Uninstall.exe 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\System.Windows.Interactivity.dll 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\MaterialDesignColors.dll 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\Microsoft.Practices.ServiceLocation.dll 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\Newtonsoft.Json.dll 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\Tyrrrz.WpfExtensions.dll 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\GalaSoft.MvvmLight.Extras.dll 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\GalaSoft.MvvmLight.Platform.dll 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe File opened for modification C:\Program Files (x86)\LetsSee!\AngleSharp.dll 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
binhost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 binhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString binhost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
binhost.exepid process 1048 binhost.exe 1048 binhost.exe 1048 binhost.exe 1048 binhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exedescription pid process target process PID 1776 wrote to memory of 1920 1776 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe YoutubeDownloader.exe PID 1776 wrote to memory of 1920 1776 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe YoutubeDownloader.exe PID 1776 wrote to memory of 1920 1776 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe YoutubeDownloader.exe PID 1776 wrote to memory of 1920 1776 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe YoutubeDownloader.exe PID 1776 wrote to memory of 1048 1776 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe binhost.exe PID 1776 wrote to memory of 1048 1776 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe binhost.exe PID 1776 wrote to memory of 1048 1776 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe binhost.exe PID 1776 wrote to memory of 1048 1776 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe binhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe"C:\Users\Admin\AppData\Local\Temp\3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe"C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\LetsSee!\binhost.exe"C:\Program Files (x86)\LetsSee!\binhost.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LetsSee!\GalaSoft.MvvmLight.Platform.dllMD5
8a8605653dbb974af3e48759e643c776
SHA1429e7eea63dabefb9747410db4bffd927a789047
SHA256ec0516b0e798346503abf08e6965c7b22d77fcf0bf2189673d68070cc98cf02f
SHA5120027a195306f48df8616b2285cc8e2183bfdc95e2b89b7962b415cb0514ae8a1171adaf4d5b5afa79d38459064a3a849ebe809396fb9b9fce38fb76e199136a3
-
C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exeMD5
ede675d5acdfd0443596ee2a6c99735c
SHA1f3b0cc4d1af3b02154a151207e7daa330314413d
SHA256e9d074f94fec9ea94ea8feccc39ae530942cffa9cba580cea99ad8799c907c98
SHA512135114b1ae3daabf49f22b7e5ab4f0c0c16c1cf3c2548732fd30947ed889337f6d46ba165f3f07f33a464dede522a854245ccee0ffddca3352c0bae389e9575b
-
C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exeMD5
ede675d5acdfd0443596ee2a6c99735c
SHA1f3b0cc4d1af3b02154a151207e7daa330314413d
SHA256e9d074f94fec9ea94ea8feccc39ae530942cffa9cba580cea99ad8799c907c98
SHA512135114b1ae3daabf49f22b7e5ab4f0c0c16c1cf3c2548732fd30947ed889337f6d46ba165f3f07f33a464dede522a854245ccee0ffddca3352c0bae389e9575b
-
C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe.configMD5
49250225471120d8da1e20614bdf5820
SHA125162ea18b0789f2316f3ebbde159aea66720122
SHA2564b58aa26ed3a8fe1ebee192229900c54bf2931284b11e646f7b5fe979b2c42e6
SHA512c91bdb500501f489925741841d657790702eeca421d622484773a87a10a9e7de638069e435916b5f3d23bde08b9a5660e82583eef4fd1dd76fee1fbe33079f07
-
C:\Program Files (x86)\LetsSee!\binhost.exeMD5
006689bf2ae6f8f91c8fe68c0fdf59b1
SHA1ddc928347c31db71f4d6ffb3af71d05d092a4db7
SHA25640ed409c1df89bb6366f336d10cc369006f361f772ba27f21bb4a2b96f4c650d
SHA512407710d2c6a8bf96dd044ae2c7dc9479ba6dc2ce9a00a1b9956d45fe2bdc2e8e6ed7bfadbeaed4a1952972342238b5ca009ffb5a74aabd60280732bdb2558272
-
\Program Files (x86)\LetsSee!\GalaSoft.MvvmLight.Platform.dllMD5
8a8605653dbb974af3e48759e643c776
SHA1429e7eea63dabefb9747410db4bffd927a789047
SHA256ec0516b0e798346503abf08e6965c7b22d77fcf0bf2189673d68070cc98cf02f
SHA5120027a195306f48df8616b2285cc8e2183bfdc95e2b89b7962b415cb0514ae8a1171adaf4d5b5afa79d38459064a3a849ebe809396fb9b9fce38fb76e199136a3
-
\Program Files (x86)\LetsSee!\GalaSoft.MvvmLight.Platform.dllMD5
8a8605653dbb974af3e48759e643c776
SHA1429e7eea63dabefb9747410db4bffd927a789047
SHA256ec0516b0e798346503abf08e6965c7b22d77fcf0bf2189673d68070cc98cf02f
SHA5120027a195306f48df8616b2285cc8e2183bfdc95e2b89b7962b415cb0514ae8a1171adaf4d5b5afa79d38459064a3a849ebe809396fb9b9fce38fb76e199136a3
-
\Program Files (x86)\LetsSee!\YoutubeDownloader.exeMD5
ede675d5acdfd0443596ee2a6c99735c
SHA1f3b0cc4d1af3b02154a151207e7daa330314413d
SHA256e9d074f94fec9ea94ea8feccc39ae530942cffa9cba580cea99ad8799c907c98
SHA512135114b1ae3daabf49f22b7e5ab4f0c0c16c1cf3c2548732fd30947ed889337f6d46ba165f3f07f33a464dede522a854245ccee0ffddca3352c0bae389e9575b
-
\Program Files (x86)\LetsSee!\binhost.exeMD5
006689bf2ae6f8f91c8fe68c0fdf59b1
SHA1ddc928347c31db71f4d6ffb3af71d05d092a4db7
SHA25640ed409c1df89bb6366f336d10cc369006f361f772ba27f21bb4a2b96f4c650d
SHA512407710d2c6a8bf96dd044ae2c7dc9479ba6dc2ce9a00a1b9956d45fe2bdc2e8e6ed7bfadbeaed4a1952972342238b5ca009ffb5a74aabd60280732bdb2558272
-
\Program Files (x86)\LetsSee!\binhost.exeMD5
006689bf2ae6f8f91c8fe68c0fdf59b1
SHA1ddc928347c31db71f4d6ffb3af71d05d092a4db7
SHA25640ed409c1df89bb6366f336d10cc369006f361f772ba27f21bb4a2b96f4c650d
SHA512407710d2c6a8bf96dd044ae2c7dc9479ba6dc2ce9a00a1b9956d45fe2bdc2e8e6ed7bfadbeaed4a1952972342238b5ca009ffb5a74aabd60280732bdb2558272
-
memory/1048-64-0x00000000005A0000-0x00000000006A0000-memory.dmpFilesize
1024KB
-
memory/1048-67-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/1048-60-0x0000000000000000-mapping.dmp
-
memory/1776-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmpFilesize
8KB
-
memory/1920-68-0x0000000001310000-0x000000000133A000-memory.dmpFilesize
168KB
-
memory/1920-56-0x0000000000000000-mapping.dmp
-
memory/1920-72-0x0000000000300000-0x000000000030A000-memory.dmpFilesize
40KB
-
memory/1920-73-0x0000000004B25000-0x0000000004B36000-memory.dmpFilesize
68KB