Analysis
-
max time kernel
125s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 09:14
Static task
static1
Behavioral task
behavioral1
Sample
dd0656cfec8f2a1424ed60350dddfb43bfd5dc1e0bb6f70a7b78aa8319d0f730.exe
Resource
win10v2004-20240611-en
General
-
Target
dd0656cfec8f2a1424ed60350dddfb43bfd5dc1e0bb6f70a7b78aa8319d0f730.exe
-
Size
2.1MB
-
MD5
c4bec5d4577ba541bbca18dd42d28301
-
SHA1
36df2db5159af4d9575ec1f237626838f505b24f
-
SHA256
dd0656cfec8f2a1424ed60350dddfb43bfd5dc1e0bb6f70a7b78aa8319d0f730
-
SHA512
1a7bf2042d3e07b17de67b057313287fa5244ef659b4e7cfe9424490c4aa6038e1fe07e938355fb659d85abc43fcc3a64b27c3ab187c668ae3ce3d92337a77fb
-
SSDEEP
24576:Ub4m+sws1qLVNMIlJl6DRKbAlcNRfCKFUfMxVVtes12FxwojKr98YGeGG9iO:UZXOjt6DuAwCKFUkxVVChjHZQs
Malware Config
Extracted
stealc
Extracted
vidar
https://t.me/r8z0l
https://steamcommunity.com/profiles/76561199698764354
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Signatures
-
Detect Vidar Stealer 8 IoCs
resource yara_rule behavioral1/memory/2440-2-0x0000000002A70000-0x0000000002B80000-memory.dmp family_vidar_v7 behavioral1/memory/1812-4-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/1812-8-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/1812-9-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/1812-20-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/1812-21-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/1812-31-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/1812-32-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1812 katD570.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2440 set thread context of 1812 2440 dd0656cfec8f2a1424ed60350dddfb43bfd5dc1e0bb6f70a7b78aa8319d0f730.exe 92 -
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString katD570.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1812 katD570.tmp 1812 katD570.tmp -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2440 wrote to memory of 1812 2440 dd0656cfec8f2a1424ed60350dddfb43bfd5dc1e0bb6f70a7b78aa8319d0f730.exe 92 PID 2440 wrote to memory of 1812 2440 dd0656cfec8f2a1424ed60350dddfb43bfd5dc1e0bb6f70a7b78aa8319d0f730.exe 92 PID 2440 wrote to memory of 1812 2440 dd0656cfec8f2a1424ed60350dddfb43bfd5dc1e0bb6f70a7b78aa8319d0f730.exe 92 PID 2440 wrote to memory of 1812 2440 dd0656cfec8f2a1424ed60350dddfb43bfd5dc1e0bb6f70a7b78aa8319d0f730.exe 92 PID 2440 wrote to memory of 1812 2440 dd0656cfec8f2a1424ed60350dddfb43bfd5dc1e0bb6f70a7b78aa8319d0f730.exe 92 PID 2440 wrote to memory of 1812 2440 dd0656cfec8f2a1424ed60350dddfb43bfd5dc1e0bb6f70a7b78aa8319d0f730.exe 92 PID 2440 wrote to memory of 1812 2440 dd0656cfec8f2a1424ed60350dddfb43bfd5dc1e0bb6f70a7b78aa8319d0f730.exe 92 PID 2440 wrote to memory of 1812 2440 dd0656cfec8f2a1424ed60350dddfb43bfd5dc1e0bb6f70a7b78aa8319d0f730.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd0656cfec8f2a1424ed60350dddfb43bfd5dc1e0bb6f70a7b78aa8319d0f730.exe"C:\Users\Admin\AppData\Local\Temp\dd0656cfec8f2a1424ed60350dddfb43bfd5dc1e0bb6f70a7b78aa8319d0f730.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\katD570.tmpC:\Users\Admin\AppData\Local\Temp\katD570.tmp2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4440,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=4132 /prefetch:81⤵PID:4412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
861KB
MD566064dbdb70a5eb15ebf3bf65aba254b
SHA10284fd320f99f62aca800fb1251eff4c31ec4ed7
SHA2566a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795
SHA512b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f