Overview

overview

10

Static

static

7

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    17-02-2023 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.9MB

  • MD5

    a27435d71d3c86e923a81fd66d5118bf

  • SHA1

    9d4ed8fb149d0dc4de28e41e66ac17b849b8fcbd

  • SHA256

    ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d

  • SHA512

    670b7ef2f6a139cd01909e3f385ddf855fb61589b9ec0d6aa001abbe773705e8e4b10edd9bc23734ae61e8b0e8d7e8e13e9011e0c22979a1dc5a20b91715a890

  • SSDEEP

    49152:yUwJvVQThRGeWlW6Bj68c5xI5hH0sIacQXfJgiE5VmJsQQlObhPk0zzxcXG+ojxo:nwzQT7obB3hDJpEmJwU1PXzqXx

Score
10/10
vidar813evasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

vidar

Version

2.5

Botnet

813

Attributes
  • profile_id

    813

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
      2⤵
        PID:1120
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
        2⤵
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1128
        • C:\ProgramData\17125333403547803972.exe
          "C:\ProgramData\17125333403547803972.exe"
          3⤵
          • Executes dropped EXE
          PID:768
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe" & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:904
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 6
            4⤵
            • Delays execution with timeout.exe
            PID:1248

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    3
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\17125333403547803972.exe
      Filesize

      6.6MB

      MD5

      900d27e6128c54af6b69cf16612ef16b

      SHA1

      e21cfcd4e5767612b050ae2fed4868480af4ea1a

      SHA256

      01e388da881c2c5b5689b1c9919ee092ffd24b269e5760159c75b5478d1e4b58

      SHA512

      d4e7feedbe5294093ca4bab47c1285e3bfec493e4fd93289b355e2e056b486fe3addaa132cb03d9db86367a24d8b9129a172d1588c3bbe6abed4cbbbf67ddc5f

      Download Submit
    • \ProgramData\17125333403547803972.exe
      Filesize

      6.6MB

      MD5

      900d27e6128c54af6b69cf16612ef16b

      SHA1

      e21cfcd4e5767612b050ae2fed4868480af4ea1a

      SHA256

      01e388da881c2c5b5689b1c9919ee092ffd24b269e5760159c75b5478d1e4b58

      SHA512

      d4e7feedbe5294093ca4bab47c1285e3bfec493e4fd93289b355e2e056b486fe3addaa132cb03d9db86367a24d8b9129a172d1588c3bbe6abed4cbbbf67ddc5f

      Download Submit
    • \ProgramData\17125333403547803972.exe
      Filesize

      6.6MB

      MD5

      900d27e6128c54af6b69cf16612ef16b

      SHA1

      e21cfcd4e5767612b050ae2fed4868480af4ea1a

      SHA256

      01e388da881c2c5b5689b1c9919ee092ffd24b269e5760159c75b5478d1e4b58

      SHA512

      d4e7feedbe5294093ca4bab47c1285e3bfec493e4fd93289b355e2e056b486fe3addaa132cb03d9db86367a24d8b9129a172d1588c3bbe6abed4cbbbf67ddc5f

      Download Submit
    • \ProgramData\17125333403547803972.exe
      Filesize

      6.6MB

      MD5

      900d27e6128c54af6b69cf16612ef16b

      SHA1

      e21cfcd4e5767612b050ae2fed4868480af4ea1a

      SHA256

      01e388da881c2c5b5689b1c9919ee092ffd24b269e5760159c75b5478d1e4b58

      SHA512

      d4e7feedbe5294093ca4bab47c1285e3bfec493e4fd93289b355e2e056b486fe3addaa132cb03d9db86367a24d8b9129a172d1588c3bbe6abed4cbbbf67ddc5f

      Download Submit
    • \ProgramData\17125333403547803972.exe
      Filesize

      6.6MB

      MD5

      900d27e6128c54af6b69cf16612ef16b

      SHA1

      e21cfcd4e5767612b050ae2fed4868480af4ea1a

      SHA256

      01e388da881c2c5b5689b1c9919ee092ffd24b269e5760159c75b5478d1e4b58

      SHA512

      d4e7feedbe5294093ca4bab47c1285e3bfec493e4fd93289b355e2e056b486fe3addaa132cb03d9db86367a24d8b9129a172d1588c3bbe6abed4cbbbf67ddc5f

      Download Submit
    • \ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      Download Submit
    • \ProgramData\nss3.dll
      Filesize

      2.0MB

      MD5

      1cc453cdf74f31e4d913ff9c10acdde2

      SHA1

      6e85eae544d6e965f15fa5c39700fa7202f3aafe

      SHA256

      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

      SHA512

      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

      Download Submit
    • memory/768-91-0x0000000000000000-mapping.dmp
      Download
    • memory/904-93-0x0000000000000000-mapping.dmp
      Download
    • memory/1128-61-0x0000000000400000-0x0000000000495000-memory.dmp
      Filesize

      596KB

      Download
    • memory/1128-58-0x0000000000400000-0x0000000000495000-memory.dmp
      Filesize

      596KB

      Download
    • memory/1128-66-0x0000000000400000-0x0000000000495000-memory.dmp
      Filesize

      596KB

      Download
    • memory/1128-67-0x00000000511D0000-0x00000000512C3000-memory.dmp
      Filesize

      972KB

      Download
    • memory/1128-64-0x0000000000400000-0x0000000000495000-memory.dmp
      Filesize

      596KB

      Download
    • memory/1128-94-0x0000000000400000-0x0000000000495000-memory.dmp
      Filesize

      596KB

      Download
    • memory/1128-65-0x0000000074DA1000-0x0000000074DA3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1128-59-0x0000000000432A3C-mapping.dmp
      Download
    • memory/1248-95-0x0000000000000000-mapping.dmp
      Download
    • memory/1784-54-0x0000000000390000-0x00000000009D2000-memory.dmp
      Filesize

      6.3MB

      Download
    • memory/1784-57-0x000000001C250000-0x000000001C314000-memory.dmp
      Filesize

      784KB

      Download
    • memory/1784-56-0x000007FEFB641000-0x000007FEFB643000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1784-55-0x0000000076DC0000-0x0000000076F69000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/1784-62-0x0000000000390000-0x00000000009D2000-memory.dmp
      Filesize

      6.3MB

      Download
    • memory/1784-63-0x0000000076DC0000-0x0000000076F69000-memory.dmp
      Filesize

      1.7MB

      Download