Overview

overview

10

Static

static

1

Fivem hack.rar

windows7-x64

10

Fivem hack.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    73s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    15-02-2023 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fivem hack.rar

  • Size

    1.9MB

  • MD5

    4156197b492c58a50e3fb2ffb4bcf681

  • SHA1

    7e5171efeaabe69d72ab28dbed028cc7efcdc6af

  • SHA256

    fadf73572a43a77edf12de54a2fe9cc13e58a6653d538202cde992c0ee8fdf1d

  • SHA512

    76f585aa8c00f9f09ac58b4379c1fe296088133bc8acc5f664458cdd34e6e8b138d9e1125e0dcf161ae8007088d6f202e07b233d8ac1c112863f58f65aaab8e6

  • SSDEEP

    49152:4NB5tG9MW7vXU4EzJuI1OKLf/7mnQYE2Xzp:4pTIWAKLXWNE2Xzp

Score
10/10
vidar408spywarestealer

Malware Config

Extracted

Family

vidar

Version

2.5

Botnet

408

Attributes
  • profile_id

    408

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Fivem hack.rar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Fivem hack.rar
      2⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Fivem hack.rar"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:316
        • C:\Users\Admin\AppData\Local\Temp\7zOC312515C\Fivem hack.exe
          "C:\Users\Admin\AppData\Local\Temp\7zOC312515C\Fivem hack.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1956
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1504
            • C:\ProgramData\99508117318636619476.exe
              "C:\ProgramData\99508117318636619476.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:768
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\99508117318636619476.exe
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:632
                • C:\Windows\system32\choice.exe
                  choice /C Y /N /D Y /T 0
                  8⤵
                    PID:1064

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\99508117318636619476.exe
      Filesize

      7.4MB

      MD5

      211810b3c634cb6cc6f685efcc2a5c93

      SHA1

      e123714e64a040d06b66775e0c2aec8c7014ce08

      SHA256

      26e7ecccd5143958996bf523d854c928ae5dfa045f661c23d69599dfdf0d7770

      SHA512

      a481a3250714fd4b96474a450844afd9245cb927b112fcdf83e7c306c3fe0e0a04e855a9e49cc42a4534eb5bbce2e462379204844aa5b227e13cba98007b8be0

      Download Submit
    • C:\ProgramData\99508117318636619476.exe
      Filesize

      7.4MB

      MD5

      211810b3c634cb6cc6f685efcc2a5c93

      SHA1

      e123714e64a040d06b66775e0c2aec8c7014ce08

      SHA256

      26e7ecccd5143958996bf523d854c928ae5dfa045f661c23d69599dfdf0d7770

      SHA512

      a481a3250714fd4b96474a450844afd9245cb927b112fcdf83e7c306c3fe0e0a04e855a9e49cc42a4534eb5bbce2e462379204844aa5b227e13cba98007b8be0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\7zOC312515C\Fivem hack.exe
      Filesize

      761.7MB

      MD5

      f4b515b98bdd8d50a4e9c80c42940723

      SHA1

      5b534564abc6f7b198f0f4861f9f6f09c0055f18

      SHA256

      117126021411bc66431a70f6738c3bddb09dfa45165507d6107a4595ae2f1170

      SHA512

      f91ad2d492b5e97955e2611e968dc6df23601d481d0047cf873f1d2b884323ce35bfe14eaba961af5271c453a6d86d0e8b4358cbd63e0ff5e94679c8ed09e58a

      Download Submit
    • \ProgramData\99508117318636619476.exe
      Filesize

      7.4MB

      MD5

      211810b3c634cb6cc6f685efcc2a5c93

      SHA1

      e123714e64a040d06b66775e0c2aec8c7014ce08

      SHA256

      26e7ecccd5143958996bf523d854c928ae5dfa045f661c23d69599dfdf0d7770

      SHA512

      a481a3250714fd4b96474a450844afd9245cb927b112fcdf83e7c306c3fe0e0a04e855a9e49cc42a4534eb5bbce2e462379204844aa5b227e13cba98007b8be0

      Download Submit
    • \ProgramData\99508117318636619476.exe
      Filesize

      7.4MB

      MD5

      211810b3c634cb6cc6f685efcc2a5c93

      SHA1

      e123714e64a040d06b66775e0c2aec8c7014ce08

      SHA256

      26e7ecccd5143958996bf523d854c928ae5dfa045f661c23d69599dfdf0d7770

      SHA512

      a481a3250714fd4b96474a450844afd9245cb927b112fcdf83e7c306c3fe0e0a04e855a9e49cc42a4534eb5bbce2e462379204844aa5b227e13cba98007b8be0

      Download Submit
    • \ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      Download Submit
    • \ProgramData\nss3.dll
      Filesize

      2.0MB

      MD5

      1cc453cdf74f31e4d913ff9c10acdde2

      SHA1

      6e85eae544d6e965f15fa5c39700fa7202f3aafe

      SHA256

      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

      SHA512

      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

      Download Submit
    • memory/316-82-0x0000000000000000-mapping.dmp
      Download
    • memory/632-122-0x0000000000000000-mapping.dmp
      Download
    • memory/768-120-0x0000000000000000-mapping.dmp
      Download
    • memory/832-54-0x000007FEFB741000-0x000007FEFB743000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1064-123-0x0000000000000000-mapping.dmp
      Download
    • memory/1504-86-0x0000000000400000-0x0000000000472000-memory.dmp
      Filesize

      456KB

      Download
    • memory/1504-98-0x0000000050FA0000-0x0000000051093000-memory.dmp
      Filesize

      972KB

      Download
    • memory/1504-97-0x0000000000400000-0x0000000000472000-memory.dmp
      Filesize

      456KB

      Download
    • memory/1504-96-0x0000000075831000-0x0000000075833000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1504-95-0x0000000000400000-0x0000000000472000-memory.dmp
      Filesize

      456KB

      Download
    • memory/1504-94-0x0000000000432A3C-mapping.dmp
      Download
    • memory/1504-88-0x0000000000400000-0x0000000000472000-memory.dmp
      Filesize

      456KB

      Download
    • memory/1716-76-0x0000000000000000-mapping.dmp
      Download
    • memory/1956-84-0x0000000000000000-mapping.dmp
      Download