Overview

overview

10

Static

static

3126a3b548...66.exe

windows7_x64

10

3126a3b548...66.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294219s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    24-03-2022 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe

  • Size

    2.7MB

  • MD5

    b9e5e995024fe62b794d64f9a9fa4c4b

  • SHA1

    37f08df51635d37df59129d5fef58acd82b5cee2

  • SHA256

    3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066

  • SHA512

    1b42289de9f7c2d3b9312965d19dfc6bb9a1bca9332d06ee6c5d79e915228c6e37f5e4e1bf5ae4579bad51808cee9e8224ee94a684dc0125223571580adc1291

Score
10/10
vidar231discoveryspywarestealersuricata

Malware Config

Extracted

Family

vidar

Version

11.3

Botnet

231

C2

http://tonetm.com/

Attributes
  • profile_id

    231

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata
  • Vidar Stealer 1 IoCs
    stealer
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
    "C:\Users\Admin\AppData\Local\Temp\3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe
      "C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1920
    • C:\Program Files (x86)\LetsSee!\binhost.exe
      "C:\Program Files (x86)\LetsSee!\binhost.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\LetsSee!\GalaSoft.MvvmLight.Platform.dll
    MD5

    8a8605653dbb974af3e48759e643c776

    SHA1

    429e7eea63dabefb9747410db4bffd927a789047

    SHA256

    ec0516b0e798346503abf08e6965c7b22d77fcf0bf2189673d68070cc98cf02f

    SHA512

    0027a195306f48df8616b2285cc8e2183bfdc95e2b89b7962b415cb0514ae8a1171adaf4d5b5afa79d38459064a3a849ebe809396fb9b9fce38fb76e199136a3

    Download Submit
  • C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe
    MD5

    ede675d5acdfd0443596ee2a6c99735c

    SHA1

    f3b0cc4d1af3b02154a151207e7daa330314413d

    SHA256

    e9d074f94fec9ea94ea8feccc39ae530942cffa9cba580cea99ad8799c907c98

    SHA512

    135114b1ae3daabf49f22b7e5ab4f0c0c16c1cf3c2548732fd30947ed889337f6d46ba165f3f07f33a464dede522a854245ccee0ffddca3352c0bae389e9575b

    Download Submit
  • C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe
    MD5

    ede675d5acdfd0443596ee2a6c99735c

    SHA1

    f3b0cc4d1af3b02154a151207e7daa330314413d

    SHA256

    e9d074f94fec9ea94ea8feccc39ae530942cffa9cba580cea99ad8799c907c98

    SHA512

    135114b1ae3daabf49f22b7e5ab4f0c0c16c1cf3c2548732fd30947ed889337f6d46ba165f3f07f33a464dede522a854245ccee0ffddca3352c0bae389e9575b

    Download Submit
  • C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe.config
    MD5

    49250225471120d8da1e20614bdf5820

    SHA1

    25162ea18b0789f2316f3ebbde159aea66720122

    SHA256

    4b58aa26ed3a8fe1ebee192229900c54bf2931284b11e646f7b5fe979b2c42e6

    SHA512

    c91bdb500501f489925741841d657790702eeca421d622484773a87a10a9e7de638069e435916b5f3d23bde08b9a5660e82583eef4fd1dd76fee1fbe33079f07

    Download Submit
  • C:\Program Files (x86)\LetsSee!\binhost.exe
    MD5

    006689bf2ae6f8f91c8fe68c0fdf59b1

    SHA1

    ddc928347c31db71f4d6ffb3af71d05d092a4db7

    SHA256

    40ed409c1df89bb6366f336d10cc369006f361f772ba27f21bb4a2b96f4c650d

    SHA512

    407710d2c6a8bf96dd044ae2c7dc9479ba6dc2ce9a00a1b9956d45fe2bdc2e8e6ed7bfadbeaed4a1952972342238b5ca009ffb5a74aabd60280732bdb2558272

    Download Submit
  • \Program Files (x86)\LetsSee!\GalaSoft.MvvmLight.Platform.dll
    MD5

    8a8605653dbb974af3e48759e643c776

    SHA1

    429e7eea63dabefb9747410db4bffd927a789047

    SHA256

    ec0516b0e798346503abf08e6965c7b22d77fcf0bf2189673d68070cc98cf02f

    SHA512

    0027a195306f48df8616b2285cc8e2183bfdc95e2b89b7962b415cb0514ae8a1171adaf4d5b5afa79d38459064a3a849ebe809396fb9b9fce38fb76e199136a3

    Download Submit
  • \Program Files (x86)\LetsSee!\GalaSoft.MvvmLight.Platform.dll
    MD5

    8a8605653dbb974af3e48759e643c776

    SHA1

    429e7eea63dabefb9747410db4bffd927a789047

    SHA256

    ec0516b0e798346503abf08e6965c7b22d77fcf0bf2189673d68070cc98cf02f

    SHA512

    0027a195306f48df8616b2285cc8e2183bfdc95e2b89b7962b415cb0514ae8a1171adaf4d5b5afa79d38459064a3a849ebe809396fb9b9fce38fb76e199136a3

    Download Submit
  • \Program Files (x86)\LetsSee!\YoutubeDownloader.exe
    MD5

    ede675d5acdfd0443596ee2a6c99735c

    SHA1

    f3b0cc4d1af3b02154a151207e7daa330314413d

    SHA256

    e9d074f94fec9ea94ea8feccc39ae530942cffa9cba580cea99ad8799c907c98

    SHA512

    135114b1ae3daabf49f22b7e5ab4f0c0c16c1cf3c2548732fd30947ed889337f6d46ba165f3f07f33a464dede522a854245ccee0ffddca3352c0bae389e9575b

    Download Submit
  • \Program Files (x86)\LetsSee!\binhost.exe
    MD5

    006689bf2ae6f8f91c8fe68c0fdf59b1

    SHA1

    ddc928347c31db71f4d6ffb3af71d05d092a4db7

    SHA256

    40ed409c1df89bb6366f336d10cc369006f361f772ba27f21bb4a2b96f4c650d

    SHA512

    407710d2c6a8bf96dd044ae2c7dc9479ba6dc2ce9a00a1b9956d45fe2bdc2e8e6ed7bfadbeaed4a1952972342238b5ca009ffb5a74aabd60280732bdb2558272

    Download Submit
  • \Program Files (x86)\LetsSee!\binhost.exe
    MD5

    006689bf2ae6f8f91c8fe68c0fdf59b1

    SHA1

    ddc928347c31db71f4d6ffb3af71d05d092a4db7

    SHA256

    40ed409c1df89bb6366f336d10cc369006f361f772ba27f21bb4a2b96f4c650d

    SHA512

    407710d2c6a8bf96dd044ae2c7dc9479ba6dc2ce9a00a1b9956d45fe2bdc2e8e6ed7bfadbeaed4a1952972342238b5ca009ffb5a74aabd60280732bdb2558272

    Download Submit
  • memory/1048-64-0x00000000005A0000-0x00000000006A0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1048-67-0x0000000000400000-0x0000000000593000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1048-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1776-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1920-68-0x0000000001310000-0x000000000133A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/1920-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1920-72-0x0000000000300000-0x000000000030A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1920-73-0x0000000004B25000-0x0000000004B36000-memory.dmp
    Filesize

    68KB

    Download