Analysis
-
max time kernel
55s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 09:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240215-en
windows7-x64
0 signatures
150 seconds
General
-
Target
file.exe
-
Size
393KB
-
MD5
ff733e726fcfa0e0d094632aa19b4065
-
SHA1
edd1869fd8dfdfc66c4dd2dddb9aaeaf2abddcf6
-
SHA256
ca3e439e801067d9e9bc06009833c499021275bbf4ae0ecfa6d431954896fcb3
-
SHA512
25db239d607b61d5d23920b1b9e92f3631c69bbe54ff97494ab1665d542a9b055e7c97fcc0cd68211685a50eba2b48b8901c7354db1932528cbe4b0cc1a9fe57
-
SSDEEP
6144:wGNRPs+yOtDqvFTbThqw4qMNSxPzv1j2gD4x7UKW6QYjP:3RPs+yOoDqfXNSx87UKpjP
Malware Config
Extracted
Family
vidar
C2
https://steamcommunity.com/profiles/76561199677575543
https://t.me/snsb82
Attributes
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Signatures
-
Detect Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral2/memory/960-0-0x0000000000210000-0x0000000000277000-memory.dmp family_vidar_v7 behavioral2/memory/960-3-0x0000000000210000-0x0000000000277000-memory.dmp family_vidar_v7 behavioral2/memory/1624-1-0x0000000000400000-0x000000000064A000-memory.dmp family_vidar_v7 behavioral2/memory/1624-5-0x0000000000400000-0x000000000064A000-memory.dmp family_vidar_v7 behavioral2/memory/1624-7-0x0000000000400000-0x000000000064A000-memory.dmp family_vidar_v7 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 960 set thread context of 1624 960 file.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4836 1624 WerFault.exe RegAsm.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
file.exedescription pid process target process PID 960 wrote to memory of 2408 960 file.exe RegAsm.exe PID 960 wrote to memory of 2408 960 file.exe RegAsm.exe PID 960 wrote to memory of 2408 960 file.exe RegAsm.exe PID 960 wrote to memory of 4288 960 file.exe RegAsm.exe PID 960 wrote to memory of 4288 960 file.exe RegAsm.exe PID 960 wrote to memory of 4288 960 file.exe RegAsm.exe PID 960 wrote to memory of 2124 960 file.exe RegAsm.exe PID 960 wrote to memory of 2124 960 file.exe RegAsm.exe PID 960 wrote to memory of 2124 960 file.exe RegAsm.exe PID 960 wrote to memory of 2808 960 file.exe RegAsm.exe PID 960 wrote to memory of 2808 960 file.exe RegAsm.exe PID 960 wrote to memory of 2808 960 file.exe RegAsm.exe PID 960 wrote to memory of 1624 960 file.exe RegAsm.exe PID 960 wrote to memory of 1624 960 file.exe RegAsm.exe PID 960 wrote to memory of 1624 960 file.exe RegAsm.exe PID 960 wrote to memory of 1624 960 file.exe RegAsm.exe PID 960 wrote to memory of 1624 960 file.exe RegAsm.exe PID 960 wrote to memory of 1624 960 file.exe RegAsm.exe PID 960 wrote to memory of 1624 960 file.exe RegAsm.exe PID 960 wrote to memory of 1624 960 file.exe RegAsm.exe PID 960 wrote to memory of 1624 960 file.exe RegAsm.exe PID 960 wrote to memory of 1624 960 file.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 14883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1624 -ip 16241⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/960-0-0x0000000000210000-0x0000000000277000-memory.dmpFilesize
412KB
-
memory/960-3-0x0000000000210000-0x0000000000277000-memory.dmpFilesize
412KB
-
memory/1624-1-0x0000000000400000-0x000000000064A000-memory.dmpFilesize
2.3MB
-
memory/1624-5-0x0000000000400000-0x000000000064A000-memory.dmpFilesize
2.3MB
-
memory/1624-7-0x0000000000400000-0x000000000064A000-memory.dmpFilesize
2.3MB