Analysis

  • max time kernel
    94s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 11:49

General

  • Target

    e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe

  • Size

    6.2MB

  • MD5

    584cf4a4f9cb958539ac091b3a79fd3a

  • SHA1

    83cf9bfe5747e7155ca816c752658ad3aaa0d9fa

  • SHA256

    e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7

  • SHA512

    6acd009c4ab0f0e548669af6e1b68f13a5c60bca36a6ccc2095796b415dde47dd0f1d5c2ae587a4735fbecaf3b73046389c291ebac45dd131682e2b9407f4249

  • SSDEEP

    12288:yQuJMMD+15Kx4I3y41UyKvXVr4D2P8wMxmAQvOwLALDOQyQWDs0H:IyM0IZTyZVEakxmdVALDONPjH

Malware Config

Extracted

Family

vidar

Version

11.8

Botnet

8ff0797948d4b39f051a704ea27bdbde

C2

https://t.me/fu4chmo

https://steamcommunity.com/profiles/76561199802540894

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

  • Detect Vidar Stealer 1 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe
    "C:\Users\Admin\AppData\Local\Temp\e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4308
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      2⤵
        PID:4100
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 12
          3⤵
          • Program crash
          PID:4924
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4100 -ip 4100
      1⤵
        PID:4996

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4100-4-0x0000000000400000-0x0000000000659000-memory.dmp

        Filesize

        2.3MB

      • memory/4308-0-0x00007FFA102C3000-0x00007FFA102C5000-memory.dmp

        Filesize

        8KB

      • memory/4308-1-0x0000021060F30000-0x0000021060F38000-memory.dmp

        Filesize

        32KB

      • memory/4308-2-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

        Filesize

        10.8MB

      • memory/4308-3-0x000002107B310000-0x000002107B3AE000-memory.dmp

        Filesize

        632KB

      • memory/4308-5-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

        Filesize

        10.8MB