Overview

overview

10

Static

static

1

c513c1da60...ff.exe

windows7-x64

10

c513c1da60...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-03-2024 05:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c513c1da60b31eaa8b46870f9f0e29ff.exe

  • Size

    1.4MB

  • MD5

    c513c1da60b31eaa8b46870f9f0e29ff

  • SHA1

    b564919aeb814216d09f6a79221efcf7a22de7b6

  • SHA256

    a2ac6fd6156acf555c5eabc6a1bd33d03f6d569ae5a9485c6c6619d6292fde01

  • SHA512

    13f1d7ecab6c705445eac1c7a84695f7672fcf37e756776b172dabde739d5db1f25980203d2789b372ef5a18773699060d4174c2b65964794e67ae42f5d87503

  • SSDEEP

    12288:8WHN1E9Z+v+yxI0W/0rT823E8ugpwrTzE8hEi4noP0+l7+kRQwWlKHaLhYnc4KJk:/1Eb+vbxtTlUfP4q1n

Score
10/10
vidar921stealer

Malware Config

Extracted

Family

vidar

Version

40

Botnet

921

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    921

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 5 IoCs
    stealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c513c1da60b31eaa8b46870f9f0e29ff.exe
    "C:\Users\Admin\AppData\Local\Temp\c513c1da60b31eaa8b46870f9f0e29ff.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Users\Admin\AppData\Local\Temp\c513c1da60b31eaa8b46870f9f0e29ff.exe
      C:\Users\Admin\AppData\Local\Temp\c513c1da60b31eaa8b46870f9f0e29ff.exe
      2⤵
        PID:4544
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1208
          3⤵
          • Program crash
          PID:4136
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4544 -ip 4544
      1⤵
        PID:1216

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4044-6-0x0000000005290000-0x00000000052B8000-memory.dmp
        Filesize

        160KB

        Download
      • memory/4044-1-0x00000000746E0000-0x0000000074E90000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4044-2-0x0000000005560000-0x0000000005B04000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4044-3-0x0000000005050000-0x00000000050E2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4044-4-0x0000000005020000-0x0000000005030000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4044-5-0x0000000005000000-0x000000000500A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4044-0-0x00000000005D0000-0x000000000073C000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/4044-11-0x00000000746E0000-0x0000000074E90000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4544-7-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download
      • memory/4544-9-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download
      • memory/4544-10-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download
      • memory/4544-12-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download
      • memory/4544-22-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download