Overview

overview

10

Static

static

9ca8917f05...3c.exe

windows7_x64

10

9ca8917f05...3c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    105s
  • max time network
    108s
  • platform
    windows7_x64
  • resource
    win7-20220331-en
  • submitted
    27-03-2022 20:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ca8917f05e4aba70e38234b3f9e19ae10e368b7830f2d3147249be9f645823c.exe

  • Size

    458KB

  • MD5

    447a0125f5ab6e3299b4ec775eaff7d1

  • SHA1

    82b318a76b365031095324562444a409336cd507

  • SHA256

    9ca8917f05e4aba70e38234b3f9e19ae10e368b7830f2d3147249be9f645823c

  • SHA512

    c2420fe1d29ed83c3c494a2a1a560141cc69642331e08d675faa8af466973d93703d3c137a972393afb80cef9edf5ef4034e5479fa9a06dd2ce825ce8176b955

Score
10/10
vidar399spywarestealer

Malware Config

Extracted

Family

vidar

Version

34.2

Botnet

399

C2

http://poolventsystems.com/

Attributes
  • profile_id

    399

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 2 IoCs
    stealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ca8917f05e4aba70e38234b3f9e19ae10e368b7830f2d3147249be9f645823c.exe
    "C:\Users\Admin\AppData\Local\Temp\9ca8917f05e4aba70e38234b3f9e19ae10e368b7830f2d3147249be9f645823c.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/912-54-0x000000000308B000-0x00000000030E1000-memory.dmp
    Filesize

    344KB

    Download
  • memory/912-55-0x0000000075341000-0x0000000075343000-memory.dmp
    Filesize

    8KB

    Download
  • memory/912-56-0x000000000308B000-0x00000000030E1000-memory.dmp
    Filesize

    344KB

    Download
  • memory/912-57-0x00000000002A0000-0x0000000000326000-memory.dmp
    Filesize

    536KB

    Download
  • memory/912-58-0x0000000000400000-0x0000000002FFF000-memory.dmp
    Filesize

    44.0MB

    Download