Analysis
-
max time kernel
94s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2024 04:47
Static task
static1
Behavioral task
behavioral1
Sample
82839b7a610f7923f282f88f241b79c66332e0d043b41f2574c776484da7957aN.exe
Resource
win7-20240903-en
General
-
Target
82839b7a610f7923f282f88f241b79c66332e0d043b41f2574c776484da7957aN.exe
-
Size
1.4MB
-
MD5
35bb5be7a9f9ca29e7239cc3f713b2d0
-
SHA1
a8da6cb42cb3a8dfc5e0d2d0fc9de16f94d10932
-
SHA256
82839b7a610f7923f282f88f241b79c66332e0d043b41f2574c776484da7957a
-
SHA512
4c6e3d70a9b58ee5e08588eee5ef5a40d8676028d8d68fe293cb7b0b6764061f0ec5170d1d058ba90a86d09f0e33c31987c96cbd815d46441139c19896b49775
-
SSDEEP
24576:AF3iok5nCcAT5Aw/pkPpbUAEQQi+HrFZ390w28KSaVBXecD4fvPVlFegzHLYwFvx:AFSouMByUswrXKFSxBI0W
Malware Config
Extracted
vidar
48.4
869
https://koyu.space/@qmashton
-
profile_id
869
Signatures
-
Vidar family
-
Vidar Stealer 4 IoCs
resource yara_rule behavioral2/memory/3764-3-0x0000000002B70000-0x0000000002C47000-memory.dmp family_vidar behavioral2/memory/3764-4-0x0000000000400000-0x00000000004D8000-memory.dmp family_vidar behavioral2/memory/3764-8-0x0000000000400000-0x0000000000578000-memory.dmp family_vidar behavioral2/memory/3764-10-0x0000000000400000-0x00000000004D8000-memory.dmp family_vidar -
Program crash 13 IoCs
pid pid_target Process procid_target 3396 3764 WerFault.exe 82 1700 3764 WerFault.exe 82 5060 3764 WerFault.exe 82 316 3764 WerFault.exe 82 1924 3764 WerFault.exe 82 2452 3764 WerFault.exe 82 1728 3764 WerFault.exe 82 4796 3764 WerFault.exe 82 3920 3764 WerFault.exe 82 1904 3764 WerFault.exe 82 760 3764 WerFault.exe 82 4312 3764 WerFault.exe 82 4412 3764 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82839b7a610f7923f282f88f241b79c66332e0d043b41f2574c776484da7957aN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\82839b7a610f7923f282f88f241b79c66332e0d043b41f2574c776484da7957aN.exe"C:\Users\Admin\AppData\Local\Temp\82839b7a610f7923f282f88f241b79c66332e0d043b41f2574c776484da7957aN.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 7762⤵
- Program crash
PID:3396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 8162⤵
- Program crash
PID:1700
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 8962⤵
- Program crash
PID:5060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 9362⤵
- Program crash
PID:316
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 9442⤵
- Program crash
PID:1924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 9642⤵
- Program crash
PID:2452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 11402⤵
- Program crash
PID:1728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 14842⤵
- Program crash
PID:4796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 15762⤵
- Program crash
PID:3920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 18322⤵
- Program crash
PID:1904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 16642⤵
- Program crash
PID:760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 16362⤵
- Program crash
PID:4312
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 16322⤵
- Program crash
PID:4412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3764 -ip 37641⤵PID:1232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3764 -ip 37641⤵PID:4280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3764 -ip 37641⤵PID:2484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3764 -ip 37641⤵PID:3280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3764 -ip 37641⤵PID:2352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3764 -ip 37641⤵PID:1348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3764 -ip 37641⤵PID:4092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3764 -ip 37641⤵PID:4968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3764 -ip 37641⤵PID:3240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3764 -ip 37641⤵PID:3684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3764 -ip 37641⤵PID:4468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3764 -ip 37641⤵PID:1308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3764 -ip 37641⤵PID:2624