Analysis
-
max time kernel
133s -
max time network
244s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
07-06-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe
Resource
win7-20240508-en
General
-
Target
c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe
-
Size
3.6MB
-
MD5
131e367009cf014321e7a70e70c4067c
-
SHA1
4c02332af53519fdae235f804f5144ba9c7e725d
-
SHA256
c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89
-
SHA512
3702fefbcf4eab279484359f61d997b7c32d9c77dd9e255a44e96de9373d18b68ff262037494203f181c359aca549020dcfea3db01d11f8f51e224261259f99e
-
SSDEEP
49152:fWN3Bsjz4Ddee7wE4o40nQaoJab9Xejv2aH0n2EBvnE8/8OhkqdHG22T9d:f6ujz4DdeClnE8f4T
Malware Config
Extracted
stealc
Extracted
vidar
https://t.me/r8z0l
https://steamcommunity.com/profiles/76561199698764354
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Signatures
-
Detect Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2880-67-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral2/memory/2880-69-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 -
Downloads MZ/PE file
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exedescription pid process target process PID 4684 set thread context of 2880 4684 c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4240 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RegAsm.exepid process 2880 RegAsm.exe 2880 RegAsm.exe 2880 RegAsm.exe 2880 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exedescription pid process Token: SeDebugPrivilege 4684 c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exeRegAsm.execmd.exedescription pid process target process PID 4684 wrote to memory of 2880 4684 c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe RegAsm.exe PID 4684 wrote to memory of 2880 4684 c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe RegAsm.exe PID 4684 wrote to memory of 2880 4684 c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe RegAsm.exe PID 4684 wrote to memory of 2880 4684 c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe RegAsm.exe PID 4684 wrote to memory of 2880 4684 c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe RegAsm.exe PID 4684 wrote to memory of 2880 4684 c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe RegAsm.exe PID 4684 wrote to memory of 2880 4684 c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe RegAsm.exe PID 4684 wrote to memory of 2880 4684 c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe RegAsm.exe PID 4684 wrote to memory of 2880 4684 c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe RegAsm.exe PID 2880 wrote to memory of 4916 2880 RegAsm.exe cmd.exe PID 2880 wrote to memory of 4916 2880 RegAsm.exe cmd.exe PID 2880 wrote to memory of 4916 2880 RegAsm.exe cmd.exe PID 4916 wrote to memory of 4240 4916 cmd.exe timeout.exe PID 4916 wrote to memory of 4240 4916 cmd.exe timeout.exe PID 4916 wrote to memory of 4240 4916 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe"C:\Users\Admin\AppData\Local\Temp\c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\JDAKJJDBGCAK" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- Delays execution with timeout.exe
PID:4240
-
-
-