Malware Analysis Report

2025-04-14 05:14

Sample ID 201203-anyaytq7pa
Target update.bin (1).zip
SHA256 b23b61cd59e29ffe5f204918dc720bf6f21278bc17e541613303727ccd8263b1
Tags
masslogger vidar discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b23b61cd59e29ffe5f204918dc720bf6f21278bc17e541613303727ccd8263b1

Threat Level: Known bad

The file update.bin (1).zip was found to be: Known bad.

Malicious Activity Summary

masslogger vidar discovery spyware stealer

Vidar

MassLogger

Vidar log file

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Accesses 2FA software files, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-12-03 18:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-12-03 18:27

Reported

2020-12-03 18:57

Platform

win10v20201028

Max time kernel

1727s

Max time network

1728s

Command Line

"C:\Users\Admin\AppData\Local\Temp\update.bin.exe"

Signatures

MassLogger

stealer spyware masslogger

Vidar

stealer vidar

Vidar log file

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware

Reads user/profile data of web browsers

spyware

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\update.bin.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\update.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\update.bin.exe

"C:\Users\Admin\AppData\Local\Temp\update.bin.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp

Files

memory/644-2-0x0000000002380000-0x0000000002381000-memory.dmp

memory/644-3-0x0000000002380000-0x0000000002381000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-12-03 18:27

Reported

2020-12-03 18:32

Platform

win10v20201028

Max time kernel

300s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\update.bin.exe"

Signatures

MassLogger

stealer spyware masslogger

Vidar

stealer vidar

Vidar log file

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware

Reads user/profile data of web browsers

spyware

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\update.bin.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\update.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\update.bin.exe

"C:\Users\Admin\AppData\Local\Temp\update.bin.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 kolobkoproms.ug udp

Files

memory/4804-2-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/4804-3-0x00000000022A0000-0x00000000022A1000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2020-12-03 18:27

Reported

2020-12-03 18:28

Platform

win10v20201028

Max time kernel

9s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\update.bin.exe"

Signatures

MassLogger

stealer spyware masslogger

Vidar

stealer vidar

Vidar log file

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware

Reads user/profile data of web browsers

spyware

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\update.bin.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\update.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\update.bin.exe

"C:\Users\Admin\AppData\Local\Temp\update.bin.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 kolobkoproms.ug udp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp

Files

memory/1020-2-0x0000000002410000-0x0000000002411000-memory.dmp