Analysis
-
max time kernel
62s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
27-03-2023 13:30
General
-
Target
file.exe
-
Size
1.7MB
-
MD5
7811c8e24019a783e1c72e7eeb58215f
-
SHA1
d21422ed627d291a80e08fa77d3cfc126e94d4cc
-
SHA256
b70354fa72344ed5262ef55243ab71e20149fcd87ec772b4b77ea44c93ff79b8
-
SHA512
1f6299d5df5fa6c59f5cefe1a4b64e19511e5308c82d279d237bf1d6492fcc7e01eff349382c9dfddaf51e01f55d735849c6ba351f86a4fa437dae811efbcf10
-
SSDEEP
24576:IzYyxHFKIlJX0oXMAsksIyESF/PvWGS5JcT1pWNpFj6zpe3rNNyJfOxmsAYQCOUO:+YyjxM3kMF/Eb+o3QYQJURnCyZrxS
Malware Config
Extracted
vidar
3.1
ba1fc89d9f7df84dadf34886aabb246c
https://t.me/owned001
http://65.109.236.2:80
https://t.me/tabootalks
https://steamcommunity.com/profiles/76561199472266392
http://135.181.26.183:80
-
profile_id_v2
ba1fc89d9f7df84dadf34886aabb246c
-
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79
Signatures
-
Detects LgoogLoader payload 1 IoCs
-
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Loads dropped DLL 3 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 17923⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2548 -ip 25481⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
566KB
MD58e084634f942776f71c350a5545fe39f
SHA1f245590544ddbfdd97691383fef1b1056d89f28a
SHA256ee83bc569b8fd831c17845778042ffef7f4a96f9fa54a28ab8517ff2954a1517
SHA51280e7350c1749923017bbcf08545ccea3ef78926557047a034aa99916851226c1c959bba74920cf3640abe124c0052cf0736662b5eabdbbeb91236602a20f13f0
-
Filesize
2.6MB
-
Filesize
436KB
-
Filesize
972KB
-
Filesize
436KB
-
Filesize
436KB
-
Filesize
208KB
-
Filesize
52KB
-
Filesize
36KB
-
Filesize
208KB
-
Filesize
208KB