Analysis
-
max time kernel
142s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 07:01
Static task
static1
Behavioral task
behavioral1
Sample
8dae8b6a6be6e3527183594d1c26a2d3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8dae8b6a6be6e3527183594d1c26a2d3.exe
Resource
win10v2004-20240226-en
General
-
Target
8dae8b6a6be6e3527183594d1c26a2d3.exe
-
Size
277KB
-
MD5
8dae8b6a6be6e3527183594d1c26a2d3
-
SHA1
b87e40cee60869a36e79c88c8a3a34baf0bc4889
-
SHA256
afce72cd3bc717c784962083066e3ede2b0aaadbe0908ec7360096c923774fa5
-
SHA512
0bf065700db647efba39a13a58242a595907e6c11885575cf0bdad9e23ab40583c8a6535464e46d75d075e20d88b7a6305a761df9da787fdc8728483dd48f96e
-
SSDEEP
6144:GtcSsUDC2OZuhYRQqPY3x/OKV/LYZsTZgzENh+a1:TSsUO2cuhY1m/VYZsI
Malware Config
Extracted
vidar
8.6
5739ef2bbcd39fcd59c5746bfe4238c5
https://steamcommunity.com/profiles/76561199658817715
https://t.me/sa9ok
-
profile_id_v2
5739ef2bbcd39fcd59c5746bfe4238c5
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Signatures
-
Detect Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2240-4-0x0000000000230000-0x0000000000261000-memory.dmp family_vidar_v7 behavioral1/memory/2212-5-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 behavioral1/memory/2212-7-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 behavioral1/memory/2212-8-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 behavioral1/memory/2212-136-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8dae8b6a6be6e3527183594d1c26a2d3.exedescription pid process target process PID 2240 set thread context of 2212 2240 8dae8b6a6be6e3527183594d1c26a2d3.exe 8dae8b6a6be6e3527183594d1c26a2d3.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1316 2212 WerFault.exe 8dae8b6a6be6e3527183594d1c26a2d3.exe -
Processes:
8dae8b6a6be6e3527183594d1c26a2d3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 8dae8b6a6be6e3527183594d1c26a2d3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 8dae8b6a6be6e3527183594d1c26a2d3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 8dae8b6a6be6e3527183594d1c26a2d3.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
8dae8b6a6be6e3527183594d1c26a2d3.exe8dae8b6a6be6e3527183594d1c26a2d3.exedescription pid process target process PID 2240 wrote to memory of 2212 2240 8dae8b6a6be6e3527183594d1c26a2d3.exe 8dae8b6a6be6e3527183594d1c26a2d3.exe PID 2240 wrote to memory of 2212 2240 8dae8b6a6be6e3527183594d1c26a2d3.exe 8dae8b6a6be6e3527183594d1c26a2d3.exe PID 2240 wrote to memory of 2212 2240 8dae8b6a6be6e3527183594d1c26a2d3.exe 8dae8b6a6be6e3527183594d1c26a2d3.exe PID 2240 wrote to memory of 2212 2240 8dae8b6a6be6e3527183594d1c26a2d3.exe 8dae8b6a6be6e3527183594d1c26a2d3.exe PID 2240 wrote to memory of 2212 2240 8dae8b6a6be6e3527183594d1c26a2d3.exe 8dae8b6a6be6e3527183594d1c26a2d3.exe PID 2240 wrote to memory of 2212 2240 8dae8b6a6be6e3527183594d1c26a2d3.exe 8dae8b6a6be6e3527183594d1c26a2d3.exe PID 2240 wrote to memory of 2212 2240 8dae8b6a6be6e3527183594d1c26a2d3.exe 8dae8b6a6be6e3527183594d1c26a2d3.exe PID 2240 wrote to memory of 2212 2240 8dae8b6a6be6e3527183594d1c26a2d3.exe 8dae8b6a6be6e3527183594d1c26a2d3.exe PID 2240 wrote to memory of 2212 2240 8dae8b6a6be6e3527183594d1c26a2d3.exe 8dae8b6a6be6e3527183594d1c26a2d3.exe PID 2240 wrote to memory of 2212 2240 8dae8b6a6be6e3527183594d1c26a2d3.exe 8dae8b6a6be6e3527183594d1c26a2d3.exe PID 2240 wrote to memory of 2212 2240 8dae8b6a6be6e3527183594d1c26a2d3.exe 8dae8b6a6be6e3527183594d1c26a2d3.exe PID 2212 wrote to memory of 1316 2212 8dae8b6a6be6e3527183594d1c26a2d3.exe WerFault.exe PID 2212 wrote to memory of 1316 2212 8dae8b6a6be6e3527183594d1c26a2d3.exe WerFault.exe PID 2212 wrote to memory of 1316 2212 8dae8b6a6be6e3527183594d1c26a2d3.exe WerFault.exe PID 2212 wrote to memory of 1316 2212 8dae8b6a6be6e3527183594d1c26a2d3.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dae8b6a6be6e3527183594d1c26a2d3.exe"C:\Users\Admin\AppData\Local\Temp\8dae8b6a6be6e3527183594d1c26a2d3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8dae8b6a6be6e3527183594d1c26a2d3.exe"C:\Users\Admin\AppData\Local\Temp\8dae8b6a6be6e3527183594d1c26a2d3.exe"2⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 14683⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5177c4ccee41b9e3667d2dca5a483f18b
SHA10f3c399065c08016bbe2660112241490a8ba0ff1
SHA256f2047deb443a713278604b092758239e6e4fec672812d6ae75bf494a11681a52
SHA51272edb1a98d6f986f95c2d935de3222baa495b8b8310a01f36f04e7c214ccacb03ec5e42e8d35dd84cceb493ead635c9d6a5efc08f2a32eb7197acb4574bea5c0
-
C:\Users\Admin\AppData\Local\Temp\Tar5097.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
memory/2212-5-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/2212-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2212-7-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/2212-8-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/2212-136-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/2240-2-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2240-4-0x0000000000230000-0x0000000000261000-memory.dmpFilesize
196KB