Overview

overview

10

Static

static

cbcd2fbfc1...67.exe

windows7-x64

10

cbcd2fbfc1...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2022 04:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbcd2fbfc1453a2df726c3801dd176bf06b92c59cd664b9298ea6746b35bfc67.exe

  • Size

    894KB

  • MD5

    e4c6c1ca703d77b521ace023bee2df08

  • SHA1

    61e97bd5a83c7b264af225d2b75eef4bd07d5b93

  • SHA256

    cbcd2fbfc1453a2df726c3801dd176bf06b92c59cd664b9298ea6746b35bfc67

  • SHA512

    61007ce908055fe3f1e07d9ee9f7c40dd232f5de87b924552a5090622870a95d51e4c2b8e6312dd086c0bdeed668e40119c61dfc195d609595fa98652d67c705

Score
10/10
azorultvidar543discoveryinfostealerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

vidar

Version

18.2

Botnet

543

C2

http://barjamanis.com/

Attributes
  • profile_id

    543

Extracted

Family

azorult

C2

http://23.106.124.148/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata
  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata
  • Vidar Stealer 4 IoCs
    stealer
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
    adwarespyware
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbcd2fbfc1453a2df726c3801dd176bf06b92c59cd664b9298ea6746b35bfc67.exe
    "C:\Users\Admin\AppData\Local\Temp\cbcd2fbfc1453a2df726c3801dd176bf06b92c59cd664b9298ea6746b35bfc67.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1iB8r7.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:896
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:468
    • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
      "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:672
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c taskkill /im wotsuper.exe /f & erase C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im wotsuper.exe /f
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1212
    • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
      "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"
      2⤵
      • Executes dropped EXE
      PID:944
    • C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
      2⤵
      • Adds Run key to start application
      • Runs .reg file with regedit
      PID:1580
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/10f7w3.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1404 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    Filesize

    557KB

    MD5

    bbb30f4967d6b28dc1f9ec475cfda6f3

    SHA1

    ced404f9e3a5e0c4882dde80bddac029966e7661

    SHA256

    34d88c992a7c5223e30c3805a5ae96bccd150267450428c7c4ca30b587622765

    SHA512

    0e78b75712c9f1562b49e9d423276c8ece3e8e1a46372146ec4c92ef1aaee68d6bcbfb332ade4113ba38e40645428846d51b9e641877d8fc7fe9962ebdccc7e7

    Download Submit
  • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
    Filesize

    423KB

    MD5

    e37e62ee36bfe4dcec2239b22ad12c30

    SHA1

    7c60f0922966894ff872a5741affe1c7bc6ca179

    SHA256

    43213971e296853a951da06a4c58fd21a6b041833417707f0256f5129655cee2

    SHA512

    4e5aa53e88f2450e0740b782a1f466057ea46513032e873a5485cfcf39197967766b82cd8b59474ad9debcbca51b09b254d34711842eae3f5a527999782a1ff3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BB25941-0BE1-11ED-A495-62FF45EB19D5}.dat
    Filesize

    5KB

    MD5

    2f952ea8ef9d287e4f1f4cda7a836a76

    SHA1

    0df5251170f8a907f4b19094e9562bd309e70a73

    SHA256

    2a28f29123fcd31669fecd34c8b449a31a2e53c014f6355660c5f2abb99a2d5c

    SHA512

    a712268b42391ceb061e9959dfea08c9f8a4919e14074cbdf73e415f7388a316353ed80febfc8081053f3f10945b5cef0df1454974e36f631e5b941002ed090f

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BF814D1-0BE1-11ED-A495-62FF45EB19D5}.dat
    Filesize

    3KB

    MD5

    a0ec1a9bc413137d04930be8609025b0

    SHA1

    6d801b81eeed8a6c7838e0a290aa8e9ad31bd05d

    SHA256

    74163a1dee731c6ef17cdeb3f6d0f1dd4f1d7ce148fe07f20cd6bd091f819416

    SHA512

    5bed0792d049bf8ff5db008e69cdd6b57e685a8d1097d5b1f05ca6a336a2a25d85d9fb9dffb6261056b858f9745d3c791873db584629577ac00b4a0c067a835b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U724FHC7.txt
    Filesize

    599B

    MD5

    b5284120e1f38aae3541962376d99e12

    SHA1

    ec3e06fc30ba7425e911d341d259e4dbec962f2a

    SHA256

    6f90606cec31cd19b8ac6601a144f7fc98dcc9f20fdf47d141341717aa023533

    SHA512

    5a90cb3911fdd65b67b29d83425194e5592a9f2078c9a762e7421b0beefca3849f385cb540f14430a01a16ec3929add15ea6e2a3468bda3192bbfff9a9fe153d

    Download Submit
  • C:\Windows\wotsuper.reg
    Filesize

    450B

    MD5

    42f073434559fb6b9c67aba86de89d1b

    SHA1

    9b969de41fc717353619068e46f21ec1db093ab5

    SHA256

    03ac69047bce954fdce3d00af881161a073f921d73ff79369e9ee96a109f9eed

    SHA512

    b1ae4fb02d7e629f824e084c5cd81e17be3bb37937eed7a1bfcd6aec0fd1cfe9a7299ecfc35958a5d98d11941fc6478e653b69140de02cbec28c4bf0647bd547

    Download Submit
  • \Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    Filesize

    557KB

    MD5

    bbb30f4967d6b28dc1f9ec475cfda6f3

    SHA1

    ced404f9e3a5e0c4882dde80bddac029966e7661

    SHA256

    34d88c992a7c5223e30c3805a5ae96bccd150267450428c7c4ca30b587622765

    SHA512

    0e78b75712c9f1562b49e9d423276c8ece3e8e1a46372146ec4c92ef1aaee68d6bcbfb332ade4113ba38e40645428846d51b9e641877d8fc7fe9962ebdccc7e7

    Download Submit
  • \Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    Filesize

    557KB

    MD5

    bbb30f4967d6b28dc1f9ec475cfda6f3

    SHA1

    ced404f9e3a5e0c4882dde80bddac029966e7661

    SHA256

    34d88c992a7c5223e30c3805a5ae96bccd150267450428c7c4ca30b587622765

    SHA512

    0e78b75712c9f1562b49e9d423276c8ece3e8e1a46372146ec4c92ef1aaee68d6bcbfb332ade4113ba38e40645428846d51b9e641877d8fc7fe9962ebdccc7e7

    Download Submit
  • \Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
    Filesize

    423KB

    MD5

    e37e62ee36bfe4dcec2239b22ad12c30

    SHA1

    7c60f0922966894ff872a5741affe1c7bc6ca179

    SHA256

    43213971e296853a951da06a4c58fd21a6b041833417707f0256f5129655cee2

    SHA512

    4e5aa53e88f2450e0740b782a1f466057ea46513032e873a5485cfcf39197967766b82cd8b59474ad9debcbca51b09b254d34711842eae3f5a527999782a1ff3

    Download Submit
  • memory/672-57-0x0000000000000000-mapping.dmp
    Download
  • memory/672-77-0x000000000026B000-0x00000000002C2000-memory.dmp
    Filesize

    348KB

    Download
  • memory/672-65-0x000000000026B000-0x00000000002C2000-memory.dmp
    Filesize

    348KB

    Download
  • memory/672-67-0x00000000004A0000-0x000000000052A000-memory.dmp
    Filesize

    552KB

    Download
  • memory/672-68-0x0000000000400000-0x000000000049F000-memory.dmp
    Filesize

    636KB

    Download
  • memory/672-81-0x000000000026B000-0x00000000002C2000-memory.dmp
    Filesize

    348KB

    Download
  • memory/672-82-0x0000000000400000-0x000000000049F000-memory.dmp
    Filesize

    636KB

    Download
  • memory/672-79-0x0000000000400000-0x000000000049F000-memory.dmp
    Filesize

    636KB

    Download
  • memory/944-66-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/944-78-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/944-76-0x0000000001EA0000-0x0000000001F8C000-memory.dmp
    Filesize

    944KB

    Download
  • memory/944-71-0x0000000000310000-0x0000000000330000-memory.dmp
    Filesize

    128KB

    Download
  • memory/944-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1212-83-0x0000000000000000-mapping.dmp
    Download
  • memory/1580-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1968-54-0x0000000075851000-0x0000000075853000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1992-80-0x0000000000000000-mapping.dmp
    Download