Analysis
-
max time kernel
111s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 20:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
file.exe
-
Size
214KB
-
MD5
6ffddfaa28979ea075045cd5a8d69cb2
-
SHA1
f69ed91bbcfa5061b7261fb11935c19a9ae52aec
-
SHA256
df85d61e9523c0f3012f47049bec8c388f7bc8cf5e4daf4ead1f1f1ed0a60c64
-
SHA512
9acf3cd91ef99c1ab06dd60721d34d76f1383038e542612e60db04014f86e1ee14b6d8a84ba1a4d424f113a121b89dcd1ee6f57d9866f29b4fd8ae35e0106bbb
-
SSDEEP
6144:bJINz3fZmYbDhiX9wLWLKfzNv75mHrk/NOBRLyA:ex3hmYbI9SJh6rkV
Malware Config
Extracted
Family
vidar
C2
https://steamcommunity.com/profiles/76561199662282318
https://t.me/t8jmhl
Attributes
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 OPR/108.0.0.0
Signatures
-
Detect Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4672-4-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral2/memory/4672-9-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral2/memory/4672-11-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 2884 set thread context of 4672 2884 file.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3176 4672 WerFault.exe RegAsm.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
file.exedescription pid process target process PID 2884 wrote to memory of 4672 2884 file.exe RegAsm.exe PID 2884 wrote to memory of 4672 2884 file.exe RegAsm.exe PID 2884 wrote to memory of 4672 2884 file.exe RegAsm.exe PID 2884 wrote to memory of 4672 2884 file.exe RegAsm.exe PID 2884 wrote to memory of 4672 2884 file.exe RegAsm.exe PID 2884 wrote to memory of 4672 2884 file.exe RegAsm.exe PID 2884 wrote to memory of 4672 2884 file.exe RegAsm.exe PID 2884 wrote to memory of 4672 2884 file.exe RegAsm.exe PID 2884 wrote to memory of 4672 2884 file.exe RegAsm.exe PID 2884 wrote to memory of 4672 2884 file.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 22443⤵
- Program crash
PID:3176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4672 -ip 46721⤵PID:3860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5088 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:81⤵PID:1700