Overview

overview

10

Static

static

1

996af577d0...4f.exe

windows7-x64

10

996af577d0...4f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2024 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    996af577d0b7957878a5555912ddd74f.exe

  • Size

    710KB

  • MD5

    996af577d0b7957878a5555912ddd74f

  • SHA1

    e40f74f3ceab3231f9237fcd4de000ada1b8ee21

  • SHA256

    e3c0e5f7a2d013deae3df17e954419bc9abe5bda42e7b9175c0406ff785e003e

  • SHA512

    7c805b5cabac069157ed8566329f0a1e77573bae82f60450b0d70f7a959c0549019495757900216b8bc64be8269a715529b338c1a5e560daaeba4b57c3e448a4

  • SSDEEP

    12288:HY0BF+5DTXmEtkxOZuX86JY1oowOZ6XxAiVrjJgostVpkIOTJiVTKo:4pKs8XfeXv6T7YHKlITKo

Score
10/10
vidar921stealer

Malware Config

Extracted

Family

vidar

Version

39.8

Botnet

921

C2

https://xeronxikxxx.tumblr.com/

Attributes
  • profile_id

    921

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 5 IoCs
    stealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\996af577d0b7957878a5555912ddd74f.exe
    "C:\Users\Admin\AppData\Local\Temp\996af577d0b7957878a5555912ddd74f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\996af577d0b7957878a5555912ddd74f.exe
      C:\Users\Admin\AppData\Local\Temp\996af577d0b7957878a5555912ddd74f.exe
      2⤵
        PID:1676
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 1240
          3⤵
          • Program crash
          PID:3028
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1676 -ip 1676
      1⤵
        PID:3560

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1672-6-0x00000000054F0000-0x0000000005566000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1672-0-0x0000000000930000-0x00000000009E4000-memory.dmp
        Filesize

        720KB

        Download
      • memory/1672-2-0x0000000005460000-0x0000000005470000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1672-3-0x0000000002E60000-0x0000000002E61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1672-4-0x0000000074970000-0x0000000075120000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1672-5-0x00000000053C0000-0x00000000053E0000-memory.dmp
        Filesize

        128KB

        Download
      • memory/1672-1-0x0000000074970000-0x0000000075120000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1672-7-0x0000000005470000-0x000000000548E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1672-11-0x0000000074970000-0x0000000075120000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1676-10-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download
      • memory/1676-8-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download
      • memory/1676-12-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download
      • memory/1676-13-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download
      • memory/1676-23-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download