Overview

overview

10

Static

static

a53466fc1c...cd.exe

windows7-x64

10

a53466fc1c...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2023 04:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a53466fc1c01a7fa4ac637e46c8ca0cd.exe

  • Size

    596KB

  • MD5

    a53466fc1c01a7fa4ac637e46c8ca0cd

  • SHA1

    1fd22e354e8ca425a1de630bffb54e2d10435b62

  • SHA256

    adb4d5bc0e359b762c9af262bcbaecd7effc14742631afdc650eb8b8feb54003

  • SHA512

    756e67a0241671a1dd7b42f5c481be79fc5f07f7a24e22abc0629d575a6f34362d4ccd35a5f6d6d831830a60495b2f25e11b205d0adcb115c8b8131895af277d

  • SSDEEP

    12288:PToPWBv/cpGrU3ywDwK7KvDJCbAvyDcdSCYZLYL6h:PTbBv5rUTwK78dChctYZLYL6h

Score
10/10
asyncratvidar818persistenceratspywarestealer

Malware Config

Extracted

Family

vidar

Version

2.2

Botnet

818

C2

https://t.me/litlebey

https://steamcommunity.com/profiles/76561199472399815
Attributes
  • profile_id

    818

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Async RAT payload 2 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a53466fc1c01a7fa4ac637e46c8ca0cd.exe
    "C:\Users\Admin\AppData\Local\Temp\a53466fc1c01a7fa4ac637e46c8ca0cd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\scoresystem.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\scoresystem.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WATCHT~2.EXE
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WATCHT~2.EXE
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4544
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1444
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          4⤵
            PID:812
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            4⤵
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:920
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" & exit
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4376
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 6
                6⤵
                • Delays execution with timeout.exe
                PID:1972
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1717.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1717.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4652
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2428
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 304
          3⤵
          • Program crash
          PID:4752
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4652 -ip 4652
      1⤵
        PID:4420

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Scripting

      1
      T1064

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\mozglue.dll
        Filesize

        133KB

        MD5

        8f73c08a9660691143661bf7332c3c27

        SHA1

        37fa65dd737c50fda710fdbde89e51374d0c204a

        SHA256

        3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

        SHA512

        0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

        Download Submit
      • C:\ProgramData\nss3.dll
        Filesize

        1.2MB

        MD5

        bfac4e3c5908856ba17d41edcd455a51

        SHA1

        8eec7e888767aa9e4cca8ff246eb2aacb9170428

        SHA256

        e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

        SHA512

        2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WATCHT~2.EXE
        Filesize

        362.4MB

        MD5

        10155f7d28c09033e8064c23d8d753db

        SHA1

        42362a2d24e1e7bf7f97a2f5fb72a81306536bb6

        SHA256

        2f78ba61101b4ae38e44d1e0edad8b195bc801b4cd91c4c8881d547c7073c655

        SHA512

        a626aa9a6f605bdfcb5d0455e1db27022b16a368aaefc2b7842c7aa188221ad9efa78ea1a7d915c0513e6ac3db564d2777601f1c7921864cacd793be6b81bd41

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WATCHT~2.EXE
        Filesize

        362.4MB

        MD5

        10155f7d28c09033e8064c23d8d753db

        SHA1

        42362a2d24e1e7bf7f97a2f5fb72a81306536bb6

        SHA256

        2f78ba61101b4ae38e44d1e0edad8b195bc801b4cd91c4c8881d547c7073c655

        SHA512

        a626aa9a6f605bdfcb5d0455e1db27022b16a368aaefc2b7842c7aa188221ad9efa78ea1a7d915c0513e6ac3db564d2777601f1c7921864cacd793be6b81bd41

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1717.exe
        Filesize

        457KB

        MD5

        66e815946cfe9ffe0027ebf4db30fda9

        SHA1

        a0edd0ab8909ac842ec77573497fe7f40401beb8

        SHA256

        21314404c10b04494713bd805fff8d42fc63513b5a4c434b4826a41c9b556c22

        SHA512

        94335b7fb0c2952df4fbae0fa630f3ec5612783866d86d468f5b4429ba1c2617939ebeed7c54c8ebe2db9fa1f837e929974e646211ff8ce7e35c505c33679660

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1717.exe
        Filesize

        457KB

        MD5

        66e815946cfe9ffe0027ebf4db30fda9

        SHA1

        a0edd0ab8909ac842ec77573497fe7f40401beb8

        SHA256

        21314404c10b04494713bd805fff8d42fc63513b5a4c434b4826a41c9b556c22

        SHA512

        94335b7fb0c2952df4fbae0fa630f3ec5612783866d86d468f5b4429ba1c2617939ebeed7c54c8ebe2db9fa1f837e929974e646211ff8ce7e35c505c33679660

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\scoresystem.exe
        Filesize

        630KB

        MD5

        de39a7b5729cecc97244042f6eb858f7

        SHA1

        be4b03f12f9a81a2cbf6c782c66d230e609e0424

        SHA256

        f2e08945074adcc47885bd4f848112b9605238d0cc00db1e686bc567b408e687

        SHA512

        e01266297515b23e6f25cfd379c6c611f3ea94a58d239b0f3cd5254c4de503a2ee7ca0b150b14da6b7c81954c15025e57ce88bd796d1d150832f51a69b57c0f8

        Download Submit
      • memory/812-147-0x0000000000000000-mapping.dmp
        Download
      • memory/920-164-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/920-148-0x0000000000000000-mapping.dmp
        Download
      • memory/920-189-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/920-150-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/920-167-0x0000000060900000-0x0000000060992000-memory.dmp
        Filesize

        584KB

        Download
      • memory/920-151-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/920-149-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/1444-144-0x00000000068C0000-0x00000000068DE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1444-140-0x0000000003280000-0x00000000032B6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1444-146-0x0000000006DD0000-0x0000000006DEA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/1444-145-0x00000000080F0000-0x000000000876A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/1444-143-0x00000000061C0000-0x0000000006226000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1444-139-0x0000000000000000-mapping.dmp
        Download
      • memory/1444-142-0x0000000006050000-0x00000000060B6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1444-141-0x0000000005920000-0x0000000005F48000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/1972-190-0x0000000000000000-mapping.dmp
        Download
      • memory/2428-155-0x0000000000000000-mapping.dmp
        Download
      • memory/2428-161-0x0000000002E20000-0x0000000002E32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2428-163-0x0000000005C20000-0x0000000005C5C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2428-165-0x0000000006000000-0x000000000609C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/2428-166-0x0000000006650000-0x0000000006BF4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2428-156-0x0000000000400000-0x0000000000422000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4088-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4376-188-0x0000000000000000-mapping.dmp
        Download
      • memory/4544-137-0x0000000000DB0000-0x0000000000DBA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4544-134-0x0000000000000000-mapping.dmp
        Download
      • memory/4544-138-0x0000000006590000-0x00000000065B2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4652-162-0x0000000000DB0000-0x0000000000E26000-memory.dmp
        Filesize

        472KB

        Download
      • memory/4652-152-0x0000000000000000-mapping.dmp
        Download