Analysis
-
max time kernel
16s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
27/03/2025, 04:11
General
-
Target
sample2.exe
-
Size
871KB
-
MD5
dd1b734796b4aa40af46b4d69e1e2da2
-
SHA1
d5273be84dfa0c54fc9cefff7bcc24fed3e20e1c
-
SHA256
361411e6321c45c845669ac89e32feec0bdd97916b5d73f508c43576b8a15a20
-
SHA512
2de21b09091caaa2cfca919fb8e5777afb80ff1eba12b81b2f9a6fde3c94aea52f3bba22ad801bae37fb8816fc7e738c54fc2639d8f6cf47e04d4bc0dbd2af56
-
SSDEEP
12288:iANwRo+mv8QD4+0V165iTr/erjzuQhyACzHDxx/PI11TUeJpIPxSG6zKzxSg564k:iAT8QE+kms0LrSPY/TUeJ4jVzCW1qQa
Malware Config
Extracted
vidar
28.3
651
http://manillamemories.com/
-
profile_id
651
Signatures
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer V1 payload 1 IoCs
-
Raccoon family
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Vidar Stealer 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 54 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample2.exe"C:\Users\Admin\AppData\Local\Temp\sample2.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1Ldta7.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg2⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1smEq7.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe"C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe" end2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD54bf51a81f50e12aafccf29671bb32576
SHA17fd25a2555d83e87435e1b437fe00d3ef637d010
SHA2561eb5f96e9c12d3c81c2647791a0db9a99570101672e869cf85e82d3f3b3a307f
SHA5127bfabf8561fd1e3d044d1041537fe832d9190e3e62b27747f88052b78022aee80b03595849a45541b89a7ad3ffad9b38e976b07fcb4c1ca858d0149a7de6c29d
-
Filesize
2KB
MD592e260d1958984d7dd9cbdbf82b6f1b0
SHA13ccafdc16d38af14683e2c8dcc026cc952340d60
SHA256160c289f80760947c5d2067f65f92502e817601fc15bfdfaf46cdea00ac1a76f
SHA5123f07618d45588fa58a8965a6bceef5344787f2a3c52f3714f82636d40239f313e649abbc8700e4f50d63ed3b52e3e6e161b79ec8a405116ece1042184c5420ca
-
Filesize
1KB
MD5c9be626e9715952e9b70f92f912b9787
SHA1aa2e946d9ad9027172d0d321917942b7562d6abe
SHA256c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4
SHA5127581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
Filesize
174B
MD5e275707e4b3f1d4702134a322304d726
SHA191ef05943ffe70ece3280d9d62c8c026f9f27bf3
SHA2566682d8c5cbafcb51b481c27e4cc10f1c28f235d8f53e78fcfaff9b4b5492b5b7
SHA512266a0558d4e07473c16f82f6b8ce8ab1fea06ae9d6622e68e34ddc2d8e6b26ecb0b97cfc081361090625c0641d41ab06620d96688e0f4bf28c38b05d0d5176aa
-
Filesize
174B
MD53140f218925968b657788c51b61faaed
SHA1e9a572e4da0d5e17bbd5e040ae524292531703b8
SHA256c8f6ec150d4c41eaa829dcbe52a4c49bcc453e7b0a627663901a506f994a39f1
SHA51241ae6d409924186e3d57d726b33a378910980b6a7d5218a99a3c3ec34cf2d4c6d19f4a0e415dd02bd2fd8bb5e5015dbb557e141a9702400cf5df2554512225c3
-
Filesize
344B
MD5203c80a9b8a17016332cf60719e26829
SHA144565c3cc822be52e859b6f92209959dbd3978f2
SHA25688dd8690a2c4d46843b5e62b0c8ccc37c022c844adfd1ad60cb0b8c2d82a1fd5
SHA51237a10680f1e7168afbc24453c76118378bc81488067fc42d3cf0aa53d2f7d1393629e90ff88047aece4fb8b20869f9c58cfe5f9e0471b81457fbaa40d83658b9
-
Filesize
344B
MD5f9ac1ad0ad8c5f129466e388fecc0e1c
SHA1914e32d07a180325d74bfdebc1c2088e4529653a
SHA25620db991db757462898ba71300263a692eb7493413e02302d1a11553d9969693c
SHA512a5e68c3c177d1aed51f3dfa1cc5e67afef0e97c17b82c2be747b49d0a6432b7b5a0a187a199c571fae656b505aade5e62406e47950d3c7974afaacf0d1b5c12f
-
Filesize
344B
MD5dbd116a43b540ae9c15e198ba2dea9f0
SHA1b5b884dd1748f427f611ef2979bf5362dae009df
SHA2567d52b462dedca39492c63a9e4c5f3ab457cc2d923cb4c5327c4274298da8de42
SHA5124cce259c31395fb6327f06cb3ed48d58002ad1cc265f682d5b5df06ec85b034c629e0a95550622fb8af9e1e62ca8bc9a1ebf8bb75f608f8eeb4685cac7044ba6
-
Filesize
344B
MD5a341c8b3c9b9cc5102516b96fd3e10e3
SHA181064e5140b4ea6ced1220a6b75eb51f740beb7d
SHA256eff86a73411c6a71096f5e3e5315630b7b745ae0b6e5d30b142e20d247cb7e3c
SHA5122b56e16738ceb6da379c0d5f7c6a95599885027ee2f5f6ad3787943cd9da9d01427c613e611a132d02625d5883ae23e74f0d985b6ed8e8eaec62792bb069b687
-
Filesize
344B
MD530afdfce8b92d0cca0f0d21b9543e964
SHA11cc33cf3f20066726ccf85c81ad37b09c1fc303b
SHA256d2cd234c59089b6d280d2958a4091bf6e7d53709ae8b79d26f1bf740830f3b24
SHA512ffd9c084c8580f0077755779cf76cd22c0647974f05b17ccf1a466c49b0b746a47552a73e463f2757eeea901c50d37e97064342cdc45bcb52f61018f1dabb993
-
Filesize
344B
MD583dd1d1884226730ce398f6d423ae539
SHA1c9e82ffcea1e586206858718f69dcb7022d88fef
SHA256aedefd912f99a9abe79730b99fcd47683af172eca6beb232af624c9e01e47327
SHA512dbc687a73472ecd89b52d3205f170c97fc242089a09e31a02286980915c879582cb4f1d332f9bfe2afb9ccfb990b024f8e55b59b3668f5c06646e20d34bb29c1
-
Filesize
344B
MD589d1ffa7152ae44a9bdec230bb3ef776
SHA19858bf750b42db79f96dc6bd9623731d2d3685aa
SHA256659fab5e1be19a062e1551a86c381ba2386051683ece0df1b62d7e166b6a52d7
SHA5129cc38d814134f87c49fb258ca6c169b9e037fe201077f2626fbd65e5555416b15327c8c0b1a6e9e1c00269d2862a63c685cddb36a0dcff43ffb4281801219e88
-
Filesize
344B
MD5a6911e3c0752cf2221d52611c110cf46
SHA14e3b6cde288eab351e2a6dbb5aa5cab45720e0f5
SHA2562c94fdf1888bd1b0371f2dc62fcab2deb269dc6043035abc6281dc30784caaa9
SHA51219d1674a7329cb5a26e655b3507389a647ab754bc57a4f231b3006046c8ad1e2bc37f14a9b384a40bdc1a19dea289d5b93fd85e6c225b658bbd8446678f9d64e
-
Filesize
344B
MD5f4b16db5b847f9ce66f4e4a266c77486
SHA1f2b14014179f802d5df535f06c694a95c5de5bf4
SHA256da5642cdbefe84a4e3c7254a67a6914f0bdf3c7c84bb25c429dad6fd7e844a3d
SHA5122527735bae955434a11931962a962f3f59485f3209f091b1bc281d08fb7b4470553ae49bf283731b61867a8779e27bda823d5c580a5afd9f0d53d07a71240008
-
Filesize
170B
MD587eb2d7fe3cfe4f6f794c2dfdd719b67
SHA16caf30d27754b139d87469cb68c5dddd02d68ab7
SHA256c8128110799881e556ab0d717b02d254abf2d064d1955cc33fd65540bdad383d
SHA51211d87cb231b2ea7b664ae59176efaa820e9d34eea1faf9dd387a17d88fd4da2f75251690ea956fdd81e148d2059d0f1d387aa0ee14bbf38c32e422f4aeb72c8f
-
Filesize
5KB
MD5420041a47d82fffc3623707efc571fac
SHA127acd54ab2259f05f985541bfccb9232d5075e88
SHA25633f8c27f1710fdd72705ad51d4329c2a6f1e9fcc99aafc1c4d33286a3109d147
SHA512adc0cd4d092f27efc1c401a868fbd66fd47da10ebd9e7a04ed669c7f5eb052a5c220cbef35ecc0a991e56db941697ac0c3fa883576cce5cde8863e9e7352609f
-
Filesize
4KB
MD5d5739fb71130d24857bf88d5c1929f57
SHA17e1febab7463073342ef2ff662ef6ba2b94c4c90
SHA25616b5b90c55be8d0e9fa6cd25c66dc992dbd6c2f4a372a2a93774f33fd59a2278
SHA512d162bc3128fa5217e83aee28f331c878cc5b69e60a28dd4d68cbf62013b868f6fe86f6c6d580c2183ac4e5cd6eb2ea44f6a3494d6a27fd8c2d321f7662e72241
-
Filesize
5KB
MD5a530f3fa81c975d1979c2f08701be352
SHA111f4dcda39e35dd1a54fa18ff166203748476458
SHA2568c078dde209e1f8f804d7f33381d4e52d382280fc21c9fef0f3eae8b07a81242
SHA512b5b8a960a0136868f68b6344dfa5dd2be8ba0d93a9eb12c5f26e4e2e36d06ad5319262efdbfc0fbcbd18c0606273e1028392a6716de52b69c0361066e7874111
-
Filesize
2KB
MD518c023bc439b446f91bf942270882422
SHA1768d59e3085976dba252232a65a4af562675f782
SHA256e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
170B
MD5c74f872e766ec4e84837c773f7ec8581
SHA1d83dbb7dd88f0f79a0d9c24b9c1fc7e1c118c8ec
SHA256f3d1b0783b1807f981e24867a61f6f3b3e8f6a3ca72f4645e359e8f533cbf8cc
SHA5120c08779e1e5d5c432b8ca7a58fad3968aa544a0ffc78292834938d2562b7002e11590bc949af29a1a4ae1af434acca93aa01da3fc96ac99b7c3127ec03f33aa1
-
Filesize
252B
MD54af08338f53ceb156cd3c294faa15421
SHA10e0149739aded8b722789e98e820aebe3d0d5d7a
SHA256b86f0416cf7fd1136744550c824ff7633b9d65c876b264cc8450f602b8a0ff33
SHA512cbb7c87877c0421f4aaa5f78ebc9a60e94936f58bef9d297e23b220a7a6e29641fd164c0a34524d34e985ce000f817e53c7c0438dfbbd8365fa6dc650967e1a5
-
Filesize
450B
MD542f073434559fb6b9c67aba86de89d1b
SHA19b969de41fc717353619068e46f21ec1db093ab5
SHA25603ac69047bce954fdce3d00af881161a073f921d73ff79369e9ee96a109f9eed
SHA512b1ae4fb02d7e629f824e084c5cd81e17be3bb37937eed7a1bfcd6aec0fd1cfe9a7299ecfc35958a5d98d11941fc6478e653b69140de02cbec28c4bf0647bd547
-
Filesize
449KB
MD57b20f5c61780fe383f45ca6e18ed5a6a
SHA1bc9bfd59f0cde312cd9a0d20784887fed9b8c836
SHA25626ccbcb079b3f0cc183293351c40da3146d2ddec9b4d6cd314090cfab94834df
SHA5128a63f6ad20fe18bd49d055ae05bc81fe30d0ebfb25a37428b17b43569b53bf2560f0de8f993f62a2f5d458db78e6d24ad71fca8d7fd1133d3cb499dff356e68b
-
Filesize
544KB
MD5b8181cb72764c24e73c7b6204b16bed6
SHA1c430cc4776ff5e21d08bca9a0d73cfaf29108fa4
SHA256fdb5a0d4e97ee36d2b23605b0d8a2785d08d046058f07a8714e4908e8a2485a2
SHA512bd63970b846bfdc6990b803e12028c692bc3f3125df03c3b9ec4626e1ce56dc43313d37c71337868ade0e4da31a5eca971b453242829b7312eb7efd2a407de1d
-
Filesize
124KB
-
Filesize
46.9MB
-
Filesize
124KB
-
Filesize
204KB
