Overview

overview

10

Static

static

1

file.exe

windows7-x64

1

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.7MB

  • MD5

    7811c8e24019a783e1c72e7eeb58215f

  • SHA1

    d21422ed627d291a80e08fa77d3cfc126e94d4cc

  • SHA256

    b70354fa72344ed5262ef55243ab71e20149fcd87ec772b4b77ea44c93ff79b8

  • SHA512

    1f6299d5df5fa6c59f5cefe1a4b64e19511e5308c82d279d237bf1d6492fcc7e01eff349382c9dfddaf51e01f55d735849c6ba351f86a4fa437dae811efbcf10

  • SSDEEP

    24576:IzYyxHFKIlJX0oXMAsksIyESF/PvWGS5JcT1pWNpFj6zpe3rNNyJfOxmsAYQCOUO:+YyjxM3kMF/Eb+o3QYQJURnCyZrxS

Score
10/10
lgoogloadervidarba1fc89d9f7df84dadf34886aabb246cdownloaderspywarestealer

Malware Config

Extracted

Family

vidar

Version

3.1

Botnet

ba1fc89d9f7df84dadf34886aabb246c

C2

https://t.me/owned001

http://65.109.236.2:80

https://t.me/tabootalks

https://steamcommunity.com/profiles/76561199472266392

http://135.181.26.183:80
Attributes
  • profile_id_v2

    ba1fc89d9f7df84dadf34886aabb246c

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79

Signatures

  • Detects LgoogLoader payload 1 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Loads dropped DLL 3 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2604
      • C:\Windows\SysWOW64\fontview.exe
        "C:\Windows\SYSWOW64\fontview.exe"
        2⤵
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2548
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1792
          3⤵
          • Program crash
          PID:2396
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
        2⤵
          PID:2704
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2548 -ip 2548
        1⤵
          PID:4300

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Credentials in Files

        2
        T1081

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\mozglue.dll
          Filesize

          593KB

          MD5

          c8fd9be83bc728cc04beffafc2907fe9

          SHA1

          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

          SHA256

          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

          SHA512

          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

          Download Submit
        • C:\ProgramData\nss3.dll
          Filesize

          2.0MB

          MD5

          1cc453cdf74f31e4d913ff9c10acdde2

          SHA1

          6e85eae544d6e965f15fa5c39700fa7202f3aafe

          SHA256

          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

          SHA512

          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\240554390.dll
          Filesize

          566KB

          MD5

          8e084634f942776f71c350a5545fe39f

          SHA1

          f245590544ddbfdd97691383fef1b1056d89f28a

          SHA256

          ee83bc569b8fd831c17845778042ffef7f4a96f9fa54a28ab8517ff2954a1517

          SHA512

          80e7350c1749923017bbcf08545ccea3ef78926557047a034aa99916851226c1c959bba74920cf3640abe124c0052cf0736662b5eabdbbeb91236602a20f13f0

          Download Submit
        • memory/1660-134-0x000000000B2C0000-0x000000000B563000-memory.dmp
          Filesize

          2.6MB

          Download
        • memory/2548-145-0x0000000000A20000-0x0000000000A8D000-memory.dmp
          Filesize

          436KB

          Download
        • memory/2548-156-0x0000000061E00000-0x0000000061EF3000-memory.dmp
          Filesize

          972KB

          Download
        • memory/2548-224-0x0000000000A20000-0x0000000000A8D000-memory.dmp
          Filesize

          436KB

          Download
        • memory/2548-225-0x0000000000A20000-0x0000000000A8D000-memory.dmp
          Filesize

          436KB

          Download
        • memory/2704-138-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

          Download
        • memory/2704-140-0x0000000002D90000-0x0000000002D9D000-memory.dmp
          Filesize

          52KB

          Download
        • memory/2704-139-0x0000000001180000-0x0000000001189000-memory.dmp
          Filesize

          36KB

          Download
        • memory/2704-137-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

          Download
        • memory/2704-135-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

          Download