Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://cf.cloudshie...

windows7-x64

1

https://cf.cloudshie...

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-02-2023 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://cf.cloudshieldcdn.com/bWl4c29mdHdhcmUuYXBw/@v3/download/SpotifyCrack2023.rar

Score
10/10
vidar408stealer

Malware Config

Extracted

Family

vidar

Version

2.5

Botnet

408

Attributes
  • profile_id

    408

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://cf.cloudshieldcdn.com/bWl4c29mdHdhcmUuYXBw/@v3/download/SpotifyCrack2023.rar
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3988
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4260
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3708
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SpotifyCrack2023\" -spe -an -ai#7zMap20438:94:7zEvent26585
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1424
    • C:\Users\Admin\Downloads\SpotifyCrack2023\SpotifyCrack2023.exe
      "C:\Users\Admin\Downloads\SpotifyCrack2023\SpotifyCrack2023.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
          PID:456
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 948
            3⤵
            • Program crash
            PID:4260
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SpotifyCrack2023\New Text Document.txt
        1⤵
          PID:3940
        • C:\Users\Admin\Downloads\SpotifyCrack2023\SpotifyCrack2023.exe
          "C:\Users\Admin\Downloads\SpotifyCrack2023\SpotifyCrack2023.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4244
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            2⤵
              PID:3684
          • C:\Users\Admin\Downloads\SpotifyCrack2023\SpotifyCrack2023.exe
            "C:\Users\Admin\Downloads\SpotifyCrack2023\SpotifyCrack2023.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4900
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              2⤵
                PID:4544
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 456 -ip 456
              1⤵
                PID:4476

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Modify Registry

              2
              T1112

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\Downloads\SpotifyCrack2023.rar.h8zjrqr.partial
                Filesize

                6.8MB

                MD5

                45bd1fca07eafe42681b17c04ae09cc8

                SHA1

                e4c085773b4078fb4b50f11e43becd0360d6d5f1

                SHA256

                11a54c0db7cc7a99335422ad8c35919c502e11b9f0de2a8af7fd8fbcead0a970

                SHA512

                baae7b4d961e7f1d0bd548cc2538e50a964350b386ceaa7b37fc883f2b769eeb2623b0217aed5e2cb1d55cc226b870f203daac2b8c72d2824f8ecdb27c4f90b2

                Download Submit
              • C:\Users\Admin\Downloads\SpotifyCrack2023\New Text Document.txt
                Filesize

                68B

                MD5

                50c890d529b836e3a4797c21331c3804

                SHA1

                cbeb047d46237d0ec2b92d7493703ed1d875b4e7

                SHA256

                51b669fc4d2c23b21ffe6af13c423b7233a56cad5a57d403e1276ee2f399d292

                SHA512

                1749b51ddbbb7022f339c7c7304086c1c1977ed23bc1546d2a8a94fa9af9ee0e68d8c603817d6cfdc98b7969891cbcba601f392a7a2d83e38df980d6885615ba

                Download Submit
              • C:\Users\Admin\Downloads\SpotifyCrack2023\SpotifyCrack2023.exe
                Filesize

                192.1MB

                MD5

                f74d3c036aab6bbc6750128c7b79327d

                SHA1

                40db5903abe36c0078460778155b1c37924bb803

                SHA256

                9702fb5f6671d1e4ccfaa9d4c52c4a91b781f63abc35730c57cc5a2482bc1eef

                SHA512

                2278cb20da2c6a441abc2398e330a1979d3f77505202e9ccb7833df2a2c9981b41af0f05460f1456ff231bcf32249a85e01eba4e238e6cc2e56ab27ea3559f88

                Download Submit
              • C:\Users\Admin\Downloads\SpotifyCrack2023\SpotifyCrack2023.exe
                Filesize

                189.6MB

                MD5

                be1e5f68727aea9c4dfa7f525b20f14b

                SHA1

                bf10ea8518d22be7b49e21c0de620adefd746ca7

                SHA256

                a11c12be8c263ed3f0c8093b16fa90b1461a2c4a85d067509a7c7863eb87dcff

                SHA512

                cc07e76da6924dd7bfaa5704241c7273f0319278f724f80b898eef78e9f2670101dba275fba41fe2bbbc5e2100506b19c35a2db971ea560ea0678bfe04093e11

                Download Submit
              • C:\Users\Admin\Downloads\SpotifyCrack2023\SpotifyCrack2023.exe
                Filesize

                38.9MB

                MD5

                279b73fcb992db58e64e29c48124e433

                SHA1

                c3eb8e9bd57ebf0cdf10d87fd5dd3287487ad1ba

                SHA256

                77027eabd230c8eb5979a66d660c61caa10e5bfc46d065c0d761de3857a32de0

                SHA512

                804460013e8721539202f2a6bb793ab2dd92e5d30cb46948d3a2a16388e4daca9e5feb99ce77414c173301632b14b62958aac0aa9464773159779d71df0d0350

                Download Submit
              • C:\Users\Admin\Downloads\SpotifyCrack2023\SpotifyCrack2023.exe
                Filesize

                30.7MB

                MD5

                3860052e7a172ee1b4239cdfb60def97

                SHA1

                80977bbaba9bebe5b054c514b9bc30e0d3be79b1

                SHA256

                54f8e0c7d89ddbecf8c13e6df2baf9bac64572494c25c0bd6032cf9e469f10b4

                SHA512

                9421440385413aabf9eb73744d497e6b7afda79dd580dbdbea49a140c82d5f526a0ee2b33f5390f6e33b940b8ed546a9fa2b0e6d4e3d548f8aa27703effbc083

                Download Submit
              • memory/456-135-0x0000000000000000-mapping.dmp
                Download
              • memory/456-142-0x0000000000400000-0x0000000000472000-memory.dmp
                Filesize

                456KB

                Download
              • memory/456-136-0x0000000000400000-0x0000000000472000-memory.dmp
                Filesize

                456KB

                Download
              • memory/3684-146-0x0000000000000000-mapping.dmp
                Download
              • memory/3684-157-0x0000000000400000-0x0000000000472000-memory.dmp
                Filesize

                456KB

                Download
              • memory/4544-150-0x0000000000000000-mapping.dmp
                Download
              • memory/4544-161-0x0000000000400000-0x0000000000472000-memory.dmp
                Filesize

                456KB

                Download