Overview

overview

10

Static

static

4feeb54bae...7c.exe

windows7-x64

10

4feeb54bae...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220718-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2022 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe

  • Size

    1.0MB

  • MD5

    595e3b35d8b2e0ccb94f965fe77b3e9b

  • SHA1

    b30700d72c12199bb5cba584c077ec37d690e10e

  • SHA256

    4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c

  • SHA512

    20c24d12fc5dec908df49b52ad4915dff475e05d874575652323d55de014710ea6420b48c6be0edb17606603eda02f763ac2eee7f9fda69b8e74b21b7986a786

Score
10/10
kpotmassloggervidar227discoveryspywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

4.9

Botnet

227

C2

http://benediktonpoins.ug/

Attributes
  • profile_id

    227

Signatures

  • KPOT

    KPOT is an information stealer that steals user data and account credentials.

    trojanstealerkpot
  • KPOT Core Executable 3 IoCs
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar log file 1 IoCs

    Detects a log file produced by Vidar.

  • Vidar Stealer 1 IoCs
    stealer
  • Executes dropped EXE 2 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe
    "C:\Users\Admin\AppData\Local\Temp\4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\AppData\Local\Temp\5FD8.tmp
      "C:\Users\Admin\AppData\Local\Temp\5FD8.tmp"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\SysWOW64\mstsc.exe
        "C:\Windows\system32\mstsc.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3744
    • C:\Users\Admin\AppData\Local\Temp\6027.tmp
      "C:\Users\Admin\AppData\Local\Temp\6027.tmp"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2228
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x160 0x2c8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5FD8.tmp
    Filesize

    510KB

    MD5

    d67a0135081b15524de94a9c58ab029d

    SHA1

    48d4f9573acd255426e9812417d6f773ed726095

    SHA256

    5e4bdc3df4d21cc7a8a10639b252cb9717953de8880dd03c6d00e91b4594450f

    SHA512

    694a4dd33532ff0f8bf89a92d87916d518e6b284d09832a7d28fcedfadaf9c10529c167e675318761a0cc0d4f710a2f9537b9eabdca4dae85a0629fbc5f44c8a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\5FD8.tmp
    Filesize

    510KB

    MD5

    d67a0135081b15524de94a9c58ab029d

    SHA1

    48d4f9573acd255426e9812417d6f773ed726095

    SHA256

    5e4bdc3df4d21cc7a8a10639b252cb9717953de8880dd03c6d00e91b4594450f

    SHA512

    694a4dd33532ff0f8bf89a92d87916d518e6b284d09832a7d28fcedfadaf9c10529c167e675318761a0cc0d4f710a2f9537b9eabdca4dae85a0629fbc5f44c8a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6027.tmp
    Filesize

    742KB

    MD5

    c673e62fc1d5d0e646f3ba51f1d8c1d6

    SHA1

    ccd251089f8fdb7819ddb48305eab19280c8042f

    SHA256

    fbc9f53e0c980140c0ea7f1228aa01104a280fea5c1dd454ce4530d6c9443618

    SHA512

    65d57dcb0db426b28ced3b5c7507bb5f3c4c5cf79bd773fbd3ad889b7de79c9eda3307132367ce0b586e871cc5f7f59d0a8e8c32fdebc0ba31e29900e2d7bfba

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6027.tmp
    Filesize

    742KB

    MD5

    c673e62fc1d5d0e646f3ba51f1d8c1d6

    SHA1

    ccd251089f8fdb7819ddb48305eab19280c8042f

    SHA256

    fbc9f53e0c980140c0ea7f1228aa01104a280fea5c1dd454ce4530d6c9443618

    SHA512

    65d57dcb0db426b28ced3b5c7507bb5f3c4c5cf79bd773fbd3ad889b7de79c9eda3307132367ce0b586e871cc5f7f59d0a8e8c32fdebc0ba31e29900e2d7bfba

    Download Submit
  • memory/1176-139-0x0000000000400000-0x0000000000484000-memory.dmp
    Filesize

    528KB

    Download
  • memory/1176-142-0x000000000ED00000-0x000000000ED08000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1176-130-0x0000000000000000-mapping.dmp
    Download
  • memory/2228-136-0x00000000023D0000-0x00000000023D8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2228-137-0x0000000000400000-0x00000000004D1000-memory.dmp
    Filesize

    836KB

    Download
  • memory/2228-133-0x0000000000000000-mapping.dmp
    Download
  • memory/3744-140-0x0000000000000000-mapping.dmp
    Download
  • memory/3744-141-0x0000000000720000-0x0000000000737000-memory.dmp
    Filesize

    92KB

    Download
  • memory/3744-143-0x0000000000720000-0x0000000000737000-memory.dmp
    Filesize

    92KB

    Download