Overview

overview

10

Static

static

1

Loader.rar

windows7-x64

10

Loader.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    205s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-02-2023 20:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.rar

  • Size

    1.8MB

  • MD5

    20db25a9fea3c1be7c05243f4a785f47

  • SHA1

    93c957661c6fa16cf3444baf2ce5ded53e46feee

  • SHA256

    04fc208575dbe86f6239f612c8eddb0d9587b9c5a2e20ba5e96190f28ea61ce4

  • SHA512

    5e427fb5d5ccc6e38c00d0f6973b12b1075b319306a3beca394a93b792f08fcb9552923478265cdf68acb412eb80e8bc20f4764a577837aaf4ebd15bd9bd6ec9

  • SSDEEP

    49152:SWDAhMeJFuQzcRKrAXNWNCLByJNg8CzPFQrWMlMbKZVl9V:SWDAhM6FEKrA9iCLByJJgFkiYl9V

Score
10/10
vidar408spywarestealer

Malware Config

Extracted

Family

vidar

Version

2.5

Botnet

408

Attributes
  • profile_id

    408

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Loader.rar
    1⤵
    • Modifies registry class
    PID:4968
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Loader.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3400
  • C:\Users\Admin\Desktop\Loader.exe
    "C:\Users\Admin\Desktop\Loader.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3428
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2156
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1836
        3⤵
        • Program crash
        PID:3476
  • C:\Users\Admin\Desktop\Loader.exe
    "C:\Users\Admin\Desktop\Loader.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:2228
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2156 -ip 2156
      1⤵
        PID:4880

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\mozglue.dll
        Filesize

        593KB

        MD5

        c8fd9be83bc728cc04beffafc2907fe9

        SHA1

        95ab9f701e0024cedfbd312bcfe4e726744c4f2e

        SHA256

        ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

        SHA512

        fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

        Download Submit
      • C:\ProgramData\mozglue.dll
        Filesize

        593KB

        MD5

        c8fd9be83bc728cc04beffafc2907fe9

        SHA1

        95ab9f701e0024cedfbd312bcfe4e726744c4f2e

        SHA256

        ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

        SHA512

        fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

        Download Submit
      • C:\ProgramData\nss3.dll
        Filesize

        2.0MB

        MD5

        1cc453cdf74f31e4d913ff9c10acdde2

        SHA1

        6e85eae544d6e965f15fa5c39700fa7202f3aafe

        SHA256

        ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

        SHA512

        dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
        Filesize

        28KB

        MD5

        503a273b6f80bf6c48d31f0221865102

        SHA1

        957ab80368c178ff9b303690ae49712a5855473e

        SHA256

        59a21fed2b5f79a14e0424ca6d0b350d113b1ee05aca1a2b918faf68d817dae6

        SHA512

        d75c4335d384e0ff69cc2f4b44a35d617b8021e44f270f5c7d712516f8f4cdd551b20cc2a8af6f1608ac787b507ca88802db2579b86c36cc9097ec5665b56ee7

        Download Submit
      • C:\Users\Admin\Desktop\Loader.exe
        Filesize

        685.4MB

        MD5

        2cdb1c360cb9dd33c05834cc0aba8693

        SHA1

        d5136f0cdda0e07cf918182378950b35ea9ff214

        SHA256

        e27a40becea3e591b85dec954943cf8a7943da891150052a1afa8542b026c931

        SHA512

        06f558dc1bf188c28cddd64469bff5c26bd30de632f8f481900befc606793821c0307c0f77121a103e5501a38a6b350db3ec69d6a26fd6cb4b0bb4434fca67e3

        Download Submit
      • C:\Users\Admin\Desktop\Loader.exe
        Filesize

        756.4MB

        MD5

        b4ea63117feffc45ac2dfa7a1d07435b

        SHA1

        cea4066f961c346b080ba2d8a961ed20d03a0e61

        SHA256

        53b0976a61762be4552378a8ec15a952a9a3f590e340e16b76bb06b717f6cfdf

        SHA512

        c5edcb699ae4164d5c945eba11ff0b2dd658990cfe5d109157df474ef885d91f95a47f75557dd38e4f2e1fbfda3dc2581e2f1f25fa2457fad8e0823c51aa5ab0

        Download Submit
      • C:\Users\Admin\Desktop\Loader.exe
        Filesize

        716.3MB

        MD5

        8896939a38340772a025872e1035f033

        SHA1

        98cd1dea5bc51cd49da761766610faa8fb31b3ff

        SHA256

        0c6a35b044c82aa8b1079c1a44f141a734ad9cb468de250477a64feb9e21adba

        SHA512

        be5a285a1bb5cfb7e1a3979188852bd9f40ce89f67ec24a5d92cd6fc673718334c9594e83e658c9faa69a789fd7357c4a95477b7721df798071715b3825405ff

        Download Submit
      • C:\Users\Admin\Desktop\README.txt
        Filesize

        220B

        MD5

        0899257a400d8dcb5b9df33ed7554875

        SHA1

        9117ce47fc86a867ef07d4ec18ea1ff8839df406

        SHA256

        316bb7c0c9ffe478267d5b60d1456e6677a6bf2fd60b38f20c6203a9b2c56e9e

        SHA512

        e6dfce9b4859eaf7fb36bc3b1ebf01d12c8ed90b1a53954bb593aef02db3a10fd7b6a282dd12f18053c0afe61c20c9b9b269d50ff05ae3a5ccb54aed1bd13eb2

        Download Submit
      • memory/2156-143-0x0000000000400000-0x0000000000472000-memory.dmp
        Filesize

        456KB

        Download
      • memory/2156-153-0x0000000050FE0000-0x00000000510D3000-memory.dmp
        Filesize

        972KB

        Download
      • memory/2156-137-0x0000000000400000-0x0000000000472000-memory.dmp
        Filesize

        456KB

        Download
      • memory/2156-136-0x0000000000000000-mapping.dmp
        Download
      • memory/2228-152-0x0000000000400000-0x0000000000472000-memory.dmp
        Filesize

        456KB

        Download
      • memory/2228-145-0x0000000000000000-mapping.dmp
        Download
      • memory/3400-132-0x0000000000000000-mapping.dmp
        Download