Overview

overview

10

Static

static

4feeb54bae...7c.exe

windows7-x64

10

4feeb54bae...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    111s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2022 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe

  • Size

    1.0MB

  • MD5

    595e3b35d8b2e0ccb94f965fe77b3e9b

  • SHA1

    b30700d72c12199bb5cba584c077ec37d690e10e

  • SHA256

    4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c

  • SHA512

    20c24d12fc5dec908df49b52ad4915dff475e05d874575652323d55de014710ea6420b48c6be0edb17606603eda02f763ac2eee7f9fda69b8e74b21b7986a786

Score
10/10
kpotmassloggervidar227discoveryspywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

4.9

Botnet

227

C2

http://benediktonpoins.ug/

Attributes
  • profile_id

    227

Signatures

  • KPOT

    KPOT is an information stealer that steals user data and account credentials.

    trojanstealerkpot
  • KPOT Core Executable 3 IoCs
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar log file 1 IoCs

    Detects a log file produced by Vidar.

  • Vidar Stealer 1 IoCs
    stealer
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe
    "C:\Users\Admin\AppData\Local\Temp\4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\FAC4.tmp
      "C:\Users\Admin\AppData\Local\Temp\FAC4.tmp"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\SysWOW64\mstsc.exe
        "C:\Windows\system32\mstsc.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1012
    • C:\Users\Admin\AppData\Local\Temp\FB61.tmp
      "C:\Users\Admin\AppData\Local\Temp\FB61.tmp"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1704
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x408
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FAC4.tmp
    Filesize

    510KB

    MD5

    d67a0135081b15524de94a9c58ab029d

    SHA1

    48d4f9573acd255426e9812417d6f773ed726095

    SHA256

    5e4bdc3df4d21cc7a8a10639b252cb9717953de8880dd03c6d00e91b4594450f

    SHA512

    694a4dd33532ff0f8bf89a92d87916d518e6b284d09832a7d28fcedfadaf9c10529c167e675318761a0cc0d4f710a2f9537b9eabdca4dae85a0629fbc5f44c8a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\FB61.tmp
    Filesize

    742KB

    MD5

    c673e62fc1d5d0e646f3ba51f1d8c1d6

    SHA1

    ccd251089f8fdb7819ddb48305eab19280c8042f

    SHA256

    fbc9f53e0c980140c0ea7f1228aa01104a280fea5c1dd454ce4530d6c9443618

    SHA512

    65d57dcb0db426b28ced3b5c7507bb5f3c4c5cf79bd773fbd3ad889b7de79c9eda3307132367ce0b586e871cc5f7f59d0a8e8c32fdebc0ba31e29900e2d7bfba

    Download Submit
  • \Users\Admin\AppData\Local\Temp\FAC4.tmp
    Filesize

    510KB

    MD5

    d67a0135081b15524de94a9c58ab029d

    SHA1

    48d4f9573acd255426e9812417d6f773ed726095

    SHA256

    5e4bdc3df4d21cc7a8a10639b252cb9717953de8880dd03c6d00e91b4594450f

    SHA512

    694a4dd33532ff0f8bf89a92d87916d518e6b284d09832a7d28fcedfadaf9c10529c167e675318761a0cc0d4f710a2f9537b9eabdca4dae85a0629fbc5f44c8a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\FB61.tmp
    Filesize

    742KB

    MD5

    c673e62fc1d5d0e646f3ba51f1d8c1d6

    SHA1

    ccd251089f8fdb7819ddb48305eab19280c8042f

    SHA256

    fbc9f53e0c980140c0ea7f1228aa01104a280fea5c1dd454ce4530d6c9443618

    SHA512

    65d57dcb0db426b28ced3b5c7507bb5f3c4c5cf79bd773fbd3ad889b7de79c9eda3307132367ce0b586e871cc5f7f59d0a8e8c32fdebc0ba31e29900e2d7bfba

    Download Submit
  • memory/1012-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1012-72-0x0000000000080000-0x0000000000097000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1012-69-0x0000000000080000-0x0000000000097000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1012-67-0x0000000000080000-0x0000000000097000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1496-57-0x0000000075731000-0x0000000075733000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1496-65-0x0000000000400000-0x0000000000484000-memory.dmp
    Filesize

    528KB

    Download
  • memory/1496-71-0x000000000ED80000-0x000000000ED88000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1496-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1704-64-0x00000000002E0000-0x00000000002E8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1704-62-0x0000000000400000-0x00000000004D1000-memory.dmp
    Filesize

    836KB

    Download
  • memory/1704-59-0x0000000000000000-mapping.dmp
    Download