Analysis
-
max time kernel
94s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 21:45
General
-
Target
37e9a0eba3c734e5794c2b745eeb0cb8407720f4cb5db6d5ec4f3fa8fb660e10.exe
-
Size
3.6MB
-
MD5
62dd160627b4ab323aa2625e1b531a78
-
SHA1
3fe982cbaf1401761d2a39a421612463d04318f9
-
SHA256
37e9a0eba3c734e5794c2b745eeb0cb8407720f4cb5db6d5ec4f3fa8fb660e10
-
SHA512
e502511ad7f3eef5af2112776fb15b2162c05fcd44715cc9fc249515fa1aa58ea14f87d6029572d9026d21b68d37911c8f88d831443b07f15eb5f714a798223d
Malware Config
Extracted
vidar
9.6
231
http://iloveshaus.com/
-
profile_id
231
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\37e9a0eba3c734e5794c2b745eeb0cb8407720f4cb5db6d5ec4f3fa8fb660e10.exe"C:\Users\Admin\AppData\Local\Temp\37e9a0eba3c734e5794c2b745eeb0cb8407720f4cb5db6d5ec4f3fa8fb660e10.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\LetsSee!\busshost.exe"C:\Program Files (x86)\LetsSee!\busshost.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\LetsSee!\YTLoader.exe"C:\Program Files (x86)\LetsSee!\YTLoader.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 16163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4640 -ip 46401⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
603KB
MD53434a305576232a06f840f56cab88302
SHA10df43ac91c316fa72567dff53c3c5144c49be59b
SHA256c1380790d4d476e4336265ef17738757ea70f88ae0f17e997b6cb15268b13909
SHA512caf89a43ce1c9eb855300bc8c582fcc6b77be9fa89ae7a171fe547e94b81eefed11e7a9c3d1939969b91f9f4d8c343b19a14494dd806e91c048d526d0a08c8d9
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
603KB
MD53434a305576232a06f840f56cab88302
SHA10df43ac91c316fa72567dff53c3c5144c49be59b
SHA256c1380790d4d476e4336265ef17738757ea70f88ae0f17e997b6cb15268b13909
SHA512caf89a43ce1c9eb855300bc8c582fcc6b77be9fa89ae7a171fe547e94b81eefed11e7a9c3d1939969b91f9f4d8c343b19a14494dd806e91c048d526d0a08c8d9
-
memory/2796-139-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2796-148-0x00000000021B0000-0x00000000022B0000-memory.dmpFilesize
1024KB
-
memory/2796-137-0x00000000021B0000-0x00000000022B0000-memory.dmpFilesize
1024KB
-
memory/2796-149-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2796-130-0x0000000000000000-mapping.dmp
-
memory/4640-142-0x0000000005B30000-0x0000000005B38000-memory.dmpFilesize
32KB
-
memory/4640-141-0x0000000005B10000-0x0000000005B18000-memory.dmpFilesize
32KB
-
memory/4640-133-0x0000000000000000-mapping.dmp
-
memory/4640-143-0x0000000005B40000-0x0000000005B48000-memory.dmpFilesize
32KB
-
memory/4640-144-0x0000000006360000-0x0000000006368000-memory.dmpFilesize
32KB
-
memory/4640-145-0x0000000006380000-0x0000000006388000-memory.dmpFilesize
32KB
-
memory/4640-146-0x0000000006390000-0x0000000006398000-memory.dmpFilesize
32KB
-
memory/4640-147-0x00000000063A0000-0x00000000063A8000-memory.dmpFilesize
32KB
-
memory/4640-140-0x0000000005B00000-0x0000000005B0A000-memory.dmpFilesize
40KB
-
memory/4640-138-0x0000000000F20000-0x0000000001228000-memory.dmpFilesize
3.0MB