Analysis
-
max time kernel
121s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 01:48
Static task
static1
Behavioral task
behavioral1
Sample
d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe
Resource
win7-20240221-en
General
-
Target
d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe
-
Size
3.1MB
-
MD5
50be5d01f679a874802ddaac7c5f0169
-
SHA1
d8e512434a94b0e123d1b7e0f4f4044252d7f238
-
SHA256
d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f
-
SHA512
24e252b66ffe35845a03a5553096a018f91d6b3d0a36ba3aa0afab9e006dea35a14075e860b34a7fec9b7d34fd7a8e0516d43d9306afd70ee9a882fd27634f37
-
SSDEEP
98304:yrvT3E7GFI/apsT+9w0+xobK8U9Ve7MpSfwYfiJkju9wxZmcp4/uV8rSBgXmVVKJ:i3E7GFI/apsT+9w0+xobK8U9Ve7MpSfk
Malware Config
Extracted
stealc
Extracted
vidar
https://t.me/r8z0l
https://steamcommunity.com/profiles/76561199698764354
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Signatures
-
Detect Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2428-80-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2428-485-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2428-632-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 -
Downloads MZ/PE file
-
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral1/memory/3036-1-0x0000000000260000-0x0000000000588000-memory.dmp net_reactor -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exedescription pid process target process PID 3036 set thread context of 2428 3036 d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe MSBuild.exe -
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MSBuild.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1524 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 2428 MSBuild.exe 2428 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exedescription pid process Token: SeDebugPrivilege 3036 d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exeMSBuild.execmd.exedescription pid process target process PID 3036 wrote to memory of 2428 3036 d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe MSBuild.exe PID 3036 wrote to memory of 2428 3036 d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe MSBuild.exe PID 3036 wrote to memory of 2428 3036 d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe MSBuild.exe PID 3036 wrote to memory of 2428 3036 d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe MSBuild.exe PID 3036 wrote to memory of 2428 3036 d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe MSBuild.exe PID 3036 wrote to memory of 2428 3036 d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe MSBuild.exe PID 3036 wrote to memory of 2428 3036 d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe MSBuild.exe PID 3036 wrote to memory of 2428 3036 d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe MSBuild.exe PID 3036 wrote to memory of 2428 3036 d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe MSBuild.exe PID 3036 wrote to memory of 2428 3036 d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe MSBuild.exe PID 2428 wrote to memory of 3024 2428 MSBuild.exe cmd.exe PID 2428 wrote to memory of 3024 2428 MSBuild.exe cmd.exe PID 2428 wrote to memory of 3024 2428 MSBuild.exe cmd.exe PID 2428 wrote to memory of 3024 2428 MSBuild.exe cmd.exe PID 3024 wrote to memory of 1524 3024 cmd.exe timeout.exe PID 3024 wrote to memory of 1524 3024 cmd.exe timeout.exe PID 3024 wrote to memory of 1524 3024 cmd.exe timeout.exe PID 3024 wrote to memory of 1524 3024 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe"C:\Users\Admin\AppData\Local\Temp\d83b46ddb754b838983651b38bcd55ccdd09cae1e79ea9c0e8b3d0c01e2db59f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KKJJEBFCGDAK" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- Delays execution with timeout.exe
PID:1524
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD50e09999c3b04e17fe507fa07f79db6fd
SHA1096e33c4153b94bdd66dd28928eea5d69349c4a6
SHA2562e174a2f26d3a7ce133e0204f5cf20e8c12113d8677f5065d9aa3c2e64ef1aad
SHA51279acb58035c8534641fd7047f1f78b9af6166f7adc7f83d375746fb2aa070bc3aa917876f13ca8382a3852bc30d44bd6c067b236cad11f318bbd9c8975c1ac38
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b