Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2023 13:38
Static task
static1
Behavioral task
behavioral1
Sample
b1e4435d0ad9130d9f1a6355454883cc.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b1e4435d0ad9130d9f1a6355454883cc.exe
-
Size
563KB
-
MD5
b1e4435d0ad9130d9f1a6355454883cc
-
SHA1
cc6fa54f06ec39e87b2fcbe1dfab3330edd913fd
-
SHA256
a7871004d96e99be9bc56c380d202abe563cf9693b5603cc2104608e292de247
-
SHA512
e8c26e22434ae91631b16455d2bde6de15533e89ad6db7e3a3f28473242ece632ec775be2f984d422a0ecf44b11c0dfab42b0283dd35380326ef5ff6c50cee6e
-
SSDEEP
12288:E5af4cghIxOZuX86JY1oowOZ6XxAiVrjJgostVFVNV:Saf4cgus8XfeXv6T7YHFVNV
Malware Config
Extracted
Family
vidar
Version
39.8
Botnet
921
C2
https://xeronxikxxx.tumblr.com/
Attributes
-
profile_id
921
Signatures
-
Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral2/memory/880-11-0x0000000000400000-0x00000000004A1000-memory.dmp family_vidar behavioral2/memory/880-9-0x0000000000400000-0x00000000004A1000-memory.dmp family_vidar behavioral2/memory/880-8-0x0000000000400000-0x00000000004A1000-memory.dmp family_vidar behavioral2/memory/880-6-0x0000000000400000-0x00000000004A1000-memory.dmp family_vidar behavioral2/memory/880-21-0x0000000000400000-0x00000000004A1000-memory.dmp family_vidar -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b1e4435d0ad9130d9f1a6355454883cc.exedescription pid process target process PID 3188 set thread context of 880 3188 b1e4435d0ad9130d9f1a6355454883cc.exe b1e4435d0ad9130d9f1a6355454883cc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3432 880 WerFault.exe b1e4435d0ad9130d9f1a6355454883cc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b1e4435d0ad9130d9f1a6355454883cc.exedescription pid process Token: SeDebugPrivilege 3188 b1e4435d0ad9130d9f1a6355454883cc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
b1e4435d0ad9130d9f1a6355454883cc.exedescription pid process target process PID 3188 wrote to memory of 1984 3188 b1e4435d0ad9130d9f1a6355454883cc.exe b1e4435d0ad9130d9f1a6355454883cc.exe PID 3188 wrote to memory of 1984 3188 b1e4435d0ad9130d9f1a6355454883cc.exe b1e4435d0ad9130d9f1a6355454883cc.exe PID 3188 wrote to memory of 1984 3188 b1e4435d0ad9130d9f1a6355454883cc.exe b1e4435d0ad9130d9f1a6355454883cc.exe PID 3188 wrote to memory of 880 3188 b1e4435d0ad9130d9f1a6355454883cc.exe b1e4435d0ad9130d9f1a6355454883cc.exe PID 3188 wrote to memory of 880 3188 b1e4435d0ad9130d9f1a6355454883cc.exe b1e4435d0ad9130d9f1a6355454883cc.exe PID 3188 wrote to memory of 880 3188 b1e4435d0ad9130d9f1a6355454883cc.exe b1e4435d0ad9130d9f1a6355454883cc.exe PID 3188 wrote to memory of 880 3188 b1e4435d0ad9130d9f1a6355454883cc.exe b1e4435d0ad9130d9f1a6355454883cc.exe PID 3188 wrote to memory of 880 3188 b1e4435d0ad9130d9f1a6355454883cc.exe b1e4435d0ad9130d9f1a6355454883cc.exe PID 3188 wrote to memory of 880 3188 b1e4435d0ad9130d9f1a6355454883cc.exe b1e4435d0ad9130d9f1a6355454883cc.exe PID 3188 wrote to memory of 880 3188 b1e4435d0ad9130d9f1a6355454883cc.exe b1e4435d0ad9130d9f1a6355454883cc.exe PID 3188 wrote to memory of 880 3188 b1e4435d0ad9130d9f1a6355454883cc.exe b1e4435d0ad9130d9f1a6355454883cc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1e4435d0ad9130d9f1a6355454883cc.exe"C:\Users\Admin\AppData\Local\Temp\b1e4435d0ad9130d9f1a6355454883cc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b1e4435d0ad9130d9f1a6355454883cc.exeC:\Users\Admin\AppData\Local\Temp\b1e4435d0ad9130d9f1a6355454883cc.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 11843⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\b1e4435d0ad9130d9f1a6355454883cc.exeC:\Users\Admin\AppData\Local\Temp\b1e4435d0ad9130d9f1a6355454883cc.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 880 -ip 8801⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/880-11-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/880-9-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/880-8-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/880-6-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/880-21-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/3188-0-0x0000000000C20000-0x0000000000CB0000-memory.dmpFilesize
576KB
-
memory/3188-1-0x0000000075260000-0x0000000075A10000-memory.dmpFilesize
7.7MB
-
memory/3188-2-0x0000000005740000-0x0000000005750000-memory.dmpFilesize
64KB
-
memory/3188-4-0x00000000056B0000-0x0000000005726000-memory.dmpFilesize
472KB
-
memory/3188-3-0x0000000005600000-0x0000000005622000-memory.dmpFilesize
136KB
-
memory/3188-5-0x0000000005670000-0x000000000568E000-memory.dmpFilesize
120KB
-
memory/3188-10-0x0000000075260000-0x0000000075A10000-memory.dmpFilesize
7.7MB