Overview

overview

10

Static

static

file.exe

windows7-x64

1

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    81s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2023 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.1MB

  • MD5

    e52f5370a68e1ee7b5f24b708924025b

  • SHA1

    bf920f1fe420f1c8dc8dba7112f1b57bf0d6dfb7

  • SHA256

    75fcb5d94124e7f3d099d6ac35a1af401bd52d68d6480a231171ae3b4833688a

  • SHA512

    7a2245652656888ec46a4a081aaa52ca86723b6d251059882b756fd0b7c8b0a576ad29c0b46fe3706a40d680c3940f3cadbd3716de98066b64b0b904fb624286

  • SSDEEP

    49152:B61lu6RZizQwhPuMaWFVCInTda0xW7hl8A:gG6KQwh2Mao9w+W7DZ

Score
10/10
lgoogloadervidar641downloaderspywarestealer

Malware Config

Extracted

Family

vidar

Version

1.8

Botnet

641

C2

https://t.me/year2023start

https://steamcommunity.com/profiles/76561199467421923
Attributes
  • profile_id

    641

Signatures

  • Detects LgoogLoader payload 1 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Loads dropped DLL 3 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2616
      • C:\Windows\SysWOW64\fontview.exe
        "C:\Windows\SYSWOW64\fontview.exe"
        2⤵
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\SysWOW64\fontview.exe" & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3588
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 6
            4⤵
            • Delays execution with timeout.exe
            PID:5016
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
        2⤵
          PID:1048

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\mozglue.dll
        Filesize

        133KB

        MD5

        8f73c08a9660691143661bf7332c3c27

        SHA1

        37fa65dd737c50fda710fdbde89e51374d0c204a

        SHA256

        3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

        SHA512

        0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

        Download Submit
      • C:\ProgramData\nss3.dll
        Filesize

        1.2MB

        MD5

        bfac4e3c5908856ba17d41edcd455a51

        SHA1

        8eec7e888767aa9e4cca8ff246eb2aacb9170428

        SHA256

        e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

        SHA512

        2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp240558953.dll
        Filesize

        617KB

        MD5

        44b25d6ac0bccdccb9e9412e0fe85c1e

        SHA1

        175cf3733360d01184d033c18cefdc5a1e626409

        SHA256

        581739ae51a7ed197d380b14a29d75d29370241d8ee900a25bb5d04183315c81

        SHA512

        421ec70f308bb6a1dd716eb181f295d84662e7115543b1ec0142d82765e79e3b5f0040d8bd970d475c891090cf97d155110e05e2729f61a4ed9afd787fd25da2

        Download Submit
      • memory/1048-139-0x0000000000400000-0x0000000000440000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1048-135-0x0000000000000000-mapping.dmp
        Download
      • memory/1048-138-0x0000000000400000-0x0000000000440000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1048-136-0x0000000000400000-0x0000000000440000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1048-140-0x0000000000400000-0x0000000000440000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1048-142-0x0000000002690000-0x000000000269D000-memory.dmp
        Filesize

        52KB

        Download
      • memory/1048-141-0x0000000002670000-0x0000000002679000-memory.dmp
        Filesize

        36KB

        Download
      • memory/1208-147-0x00000000037B0000-0x0000000003982000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/1208-134-0x000000000D200000-0x000000000D505000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1208-173-0x00000000037B0000-0x0000000003982000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/1208-133-0x00000000037B0000-0x0000000003982000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/1208-132-0x000000000D200000-0x000000000D505000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1208-148-0x000000000D200000-0x000000000D505000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/3588-171-0x0000000000000000-mapping.dmp
        Download
      • memory/5016-174-0x0000000000000000-mapping.dmp
        Download
      • memory/5028-149-0x00000000506E0000-0x0000000050772000-memory.dmp
        Filesize

        584KB

        Download
      • memory/5028-144-0x0000000000880000-0x00000000008E1000-memory.dmp
        Filesize

        388KB

        Download
      • memory/5028-146-0x0000000000880000-0x00000000008E1000-memory.dmp
        Filesize

        388KB

        Download
      • memory/5028-170-0x0000000000880000-0x00000000008E1000-memory.dmp
        Filesize

        388KB

        Download
      • memory/5028-172-0x0000000000880000-0x00000000008E1000-memory.dmp
        Filesize

        388KB

        Download
      • memory/5028-145-0x0000000000000000-mapping.dmp
        Download