vidar | 4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 08:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4.exe
Size

766KB
MD5

af830cfd0dc37469686047ce8c30479c
SHA1

1e2d24cc0fdeeed785730b5182c580f7719391be
SHA256

4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4
SHA512

54a67a79e1556ff88320c291db3e81343544f44a5033a8660fcb31fe33c359ce7365d1b325692ff545d45971c3304382cff002c8095fca1253c3e32001ae7a1b
SSDEEP

12288:DlA/9z2Jtv21nf3ELaUqjXn3YLkkmO8tXsOhdY5fhbJJ5X+ZwAieDqjdROcuFAqb:DOzQ81/oaUQXnoLkk81i5f7fwqjPOcs5

Score

10^/10

vidar 865 discovery stealer

Malware Config

Extracted

Family

vidar

Version

41.5

Botnet

865

https://mas.to/@xeroxxx

Attributes

profile_id
865

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral2/memory/3040-2-0x0000000000DA0000-0x0000000000E76000-memory.dmp	family_vidar
behavioral2/memory/3040-3-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral2/memory/3040-10-0x0000000000400000-0x00000000008EE000-memory.dmp	family_vidar
behavioral2/memory/3040-12-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral2/memory/3040-11-0x0000000000DA0000-0x0000000000E76000-memory.dmp	family_vidar

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2980	3040	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4.exe

C:\Users\Admin\AppData\Local\Temp\4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4.exe
"C:\Users\Admin\AppData\Local\Temp\4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 1020
  2⤵
  - Program crash
  PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3040 -ip 3040
1⤵
PID:2368

Network

DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

mas.to

4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4.exe

Remote address:

8.8.8.8:53

Request

mas.to

IN A

Response

mas.to

IN A

172.67.166.96

mas.to

IN A

104.21.11.154
GET

https://mas.to/@xeroxxx

4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4.exe

Remote address:

172.67.166.96:443

Request

GET /@xeroxxx HTTP/1.1
Host: mas.to

Response

HTTP/1.1 404 Not Found

Date: Sat, 23 Nov 2024 08:46:23 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
vary: Accept, Accept-Language, Cookie, Origin
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: same-origin
Cache-Control: private, no-store
content-security-policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://mas.to; img-src 'self' data: blob: https://mas.to https://media.mas.to; style-src 'self' https://mas.to 'nonce-NV2nNCXDN+9uAFX8Tft+Cw=='; media-src 'self' data: https://mas.to https://media.mas.to; manifest-src 'self' https://mas.to; form-action 'none'; child-src 'self' blob: https://mas.to; worker-src 'self' blob: https://mas.to; connect-src 'self' data: blob: https://mas.to https://media.mas.to wss://mas.to; script-src 'self' https://mas.to 'wasm-unsafe-eval'; frame-src 'self' https:
x-request-id: cb576f5d-764d-4eeb-ae41-6fbffc4e2b2d
x-runtime: 0.004750
strict-transport-security: max-age=63072000; includeSubDomains
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=odFeXqnHdCXmiAY8gEYZaCHj4ky6atB3dM8%2FonjlkZ7bdKHIistLBcevn4hQKQYKGoDJF5PCOpJ42FXw2icz0MXZk%2BSwGnceCpDE6uA956AGtx%2Fqyxskfp0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e6fe376bc75719f-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=59956&sent=5&recv=9&lost=0&retrans=0&sent_bytes=3267&recv_bytes=335&delivery_rate=68017&cwnd=253&unsent_bytes=0&cid=dd2c342556cf5c01&ts=526&x=0"
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

69.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

c.pki.goog

4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.200.3
GET

http://c.pki.goog/r/gsr1.crl

4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4.exe

Remote address:

142.250.200.3:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 23 Nov 2024 08:46:20 GMT
Expires: Sat, 23 Nov 2024 09:36:20 GMT
Cache-Control: public, max-age=3000
Age: 3
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4.exe

Remote address:

142.250.200.3:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 23 Nov 2024 07:56:33 GMT
Expires: Sat, 23 Nov 2024 08:46:33 GMT
Cache-Control: public, max-age=3000
Age: 2990
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

96.166.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

96.166.67.172.in-addr.arpa

IN PTR

Response
DNS

3.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.200.250.142.in-addr.arpa

IN PTR

Response

3.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f31e100net
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

69.72.21.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.72.21.2.in-addr.arpa

IN PTR

Response

69.72.21.2.in-addr.arpa

IN PTR

a2-21-72-69deploystaticakamaitechnologiescom
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response

172.67.166.96:443

https://mas.to/@xeroxxx

tls, http

4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4.exe

1.1kB
7.1kB
17
13

HTTP Request

GET https://mas.to/@xeroxxx

HTTP Response

404
142.250.200.3:80

http://c.pki.goog/r/r4.crl

http

4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4.exe

556 B
3.8kB
7
5

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
20.189.173.9:443

8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

mas.to

dns

4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4.exe

52 B
84 B
1
1

DNS Request

mas.to

DNS Response

172.67.166.96

104.21.11.154
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

69.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

69.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

c.pki.goog

dns

4c562ec144d50f289be0d9a1dbe35ce3d39ddc2feca4a14363398acffd2056a4.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.200.3
8.8.8.8:53

96.166.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

96.166.67.172.in-addr.arpa
8.8.8.8:53

3.200.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.200.250.142.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

69.72.21.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

69.72.21.2.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3040-1-0x0000000000A60000-0x0000000000B60000-memory.dmp

Filesize
1024KB

Download
memory/3040-2-0x0000000000DA0000-0x0000000000E76000-memory.dmp

Filesize
856KB

Download
memory/3040-3-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3040-10-0x0000000000400000-0x00000000008EE000-memory.dmp

Filesize
4.9MB

Download
memory/3040-12-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3040-11-0x0000000000DA0000-0x0000000000E76000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.