Analysis
-
max time kernel
67s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 19:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
payload.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
payload.exe
-
Size
422KB
-
MD5
03750d84804cd05a1e7366dd52e67f71
-
SHA1
c64e12d70a131e168d54e4074c3a11668779381d
-
SHA256
9ce8c75892fbdc4793558467d98e05b17459cdce4078b0fb7c270495d195d747
-
SHA512
bcffeebef54e05fac8b7ef3c8d491a686c8de0f5a00f8bf94f9486fb5091e1a916bc491256bf58a6751f9d128c4d9148bad97a3d459976862f26104d6988e4f7
-
SSDEEP
6144:29KDb7RpkvFCCTnOPivspTpwlHe6EiZ1gFrzTt8ceX7seXztApIvejJXcxQC:zb7RpkMCsppwlRgFXG9XdtOp5ciC
Malware Config
Extracted
Family
vidar
C2
https://steamcommunity.com/profiles/76561199677575543
https://t.me/snsb82
Attributes
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Signatures
-
Detect Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3892-0-0x0000000000BB0000-0x0000000000C1E000-memory.dmp family_vidar_v7 behavioral2/memory/3892-2-0x0000000000BB0000-0x0000000000C1E000-memory.dmp family_vidar_v7 behavioral2/memory/3748-1-0x0000000000400000-0x000000000064A000-memory.dmp family_vidar_v7 behavioral2/memory/3748-4-0x0000000000400000-0x000000000064A000-memory.dmp family_vidar_v7 behavioral2/memory/3748-6-0x0000000000400000-0x000000000064A000-memory.dmp family_vidar_v7 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payload.exedescription pid process target process PID 3892 set thread context of 3748 3892 payload.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 540 3748 WerFault.exe RegAsm.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
payload.exedescription pid process target process PID 3892 wrote to memory of 3748 3892 payload.exe RegAsm.exe PID 3892 wrote to memory of 3748 3892 payload.exe RegAsm.exe PID 3892 wrote to memory of 3748 3892 payload.exe RegAsm.exe PID 3892 wrote to memory of 3748 3892 payload.exe RegAsm.exe PID 3892 wrote to memory of 3748 3892 payload.exe RegAsm.exe PID 3892 wrote to memory of 3748 3892 payload.exe RegAsm.exe PID 3892 wrote to memory of 3748 3892 payload.exe RegAsm.exe PID 3892 wrote to memory of 3748 3892 payload.exe RegAsm.exe PID 3892 wrote to memory of 3748 3892 payload.exe RegAsm.exe PID 3892 wrote to memory of 3748 3892 payload.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payload.exe"C:\Users\Admin\AppData\Local\Temp\payload.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 14683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3748 -ip 37481⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3748-1-0x0000000000400000-0x000000000064A000-memory.dmpFilesize
2.3MB
-
memory/3748-4-0x0000000000400000-0x000000000064A000-memory.dmpFilesize
2.3MB
-
memory/3748-6-0x0000000000400000-0x000000000064A000-memory.dmpFilesize
2.3MB
-
memory/3892-0-0x0000000000BB0000-0x0000000000C1E000-memory.dmpFilesize
440KB
-
memory/3892-2-0x0000000000BB0000-0x0000000000C1E000-memory.dmpFilesize
440KB