Analysis
-
max time kernel
133s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 05:54
Static task
static1
Behavioral task
behavioral1
Sample
ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exe
Resource
win10v2004-20240508-en
General
-
Target
ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exe
-
Size
2.9MB
-
MD5
9ac773e8eafc40e03b5f33a636f41a09
-
SHA1
fb540e2ed2fbfeb3806dabb18d5c0aec612e3069
-
SHA256
ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f
-
SHA512
c96ecabd78d7f2d536874eb5722ec6a805e051414535ae4c4fd792fcd36f9a491ddabc86fc80ccf5fa4bcdd50464822de6ab0d8272016f591975c2a988a81bba
-
SSDEEP
49152:rtpSxptE1AKnCdMS4cdR/z4+UVi4e9Crn:r/4nE1dCSKxx4e9Cb
Malware Config
Extracted
stealc
Extracted
vidar
https://t.me/r8z0l
https://steamcommunity.com/profiles/76561199698764354
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Signatures
-
Detect Vidar Stealer 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2440-1-0x0000000002C70000-0x0000000002DD6000-memory.dmp family_vidar_v7 behavioral1/memory/2340-4-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2340-9-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2340-8-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2340-13-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2340-14-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2340-31-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2340-32-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
katE465.tmppid process 2340 katE465.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exedescription pid process target process PID 2440 set thread context of 2340 2440 ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exe katE465.tmp -
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
katE465.tmpdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString katE465.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
katE465.tmppid process 2340 katE465.tmp 2340 katE465.tmp -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exedescription pid process target process PID 2440 wrote to memory of 2340 2440 ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exe katE465.tmp PID 2440 wrote to memory of 2340 2440 ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exe katE465.tmp PID 2440 wrote to memory of 2340 2440 ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exe katE465.tmp PID 2440 wrote to memory of 2340 2440 ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exe katE465.tmp PID 2440 wrote to memory of 2340 2440 ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exe katE465.tmp PID 2440 wrote to memory of 2340 2440 ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exe katE465.tmp PID 2440 wrote to memory of 2340 2440 ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exe katE465.tmp PID 2440 wrote to memory of 2340 2440 ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exe katE465.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exe"C:\Users\Admin\AppData\Local\Temp\ecb0527bfe18f89a938ca234b2598f1ee4fa9e323a47cd6aac69e3acb65ddb2f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\katE465.tmpC:\Users\Admin\AppData\Local\Temp\katE465.tmp2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4020,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:81⤵PID:4468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
861KB
MD566064dbdb70a5eb15ebf3bf65aba254b
SHA10284fd320f99f62aca800fb1251eff4c31ec4ed7
SHA2566a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795
SHA512b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f