Overview

overview

10

Static

static

1

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2023, 16:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    313KB

  • MD5

    20d9d36f5638f94aaa9006509a51cfd3

  • SHA1

    7125032ba7af2c12818b6a6f2723c00f665d90fb

  • SHA256

    5d8a2b6b4f2b1de4befaeab782df22bc0a39f59a38b0427010b968a3e9aa73b5

  • SHA512

    c375e7b6d11f8eeb3a09e02a5910eda7c8dd95ea7d2a431197b8a4cedf62a1832dca81e387db408f12ce21985e52b0404c103905dd76e6c644350ff4f9096ac2

  • SSDEEP

    6144:lahOtBowEgccoJuOLMEl7AA3UkXVk4KE9WN:liwB5ccNOLMG7AAkkXVkM9I

Score
10/10
vidar883a19adca53fadaea8c48be5943ba41persistencespywarestealer

Malware Config

Extracted

Family

vidar

Version

3.5

Botnet

883a19adca53fadaea8c48be5943ba41

C2

https://steamcommunity.com/profiles/76561199497218285

https://t.me/tg_duckworld
Attributes
  • profile_id_v2

    883a19adca53fadaea8c48be5943ba41

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\raisearchitect.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\raisearchitect.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:752
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2128
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
          PID:2412
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          3⤵
            PID:1876
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            3⤵
              PID:4744
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              3⤵
              • Loads dropped DLL
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              PID:5100
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 2032
                4⤵
                • Program crash
                PID:4572
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5100 -ip 5100
          1⤵
            PID:4648

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\mozglue.dll
                  Filesize

                  593KB

                  MD5

                  c8fd9be83bc728cc04beffafc2907fe9

                  SHA1

                  95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                  SHA256

                  ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                  SHA512

                  fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                  Download Submit

                • C:\ProgramData\nss3.dll
                  Filesize

                  2.0MB

                  MD5

                  1cc453cdf74f31e4d913ff9c10acdde2

                  SHA1

                  6e85eae544d6e965f15fa5c39700fa7202f3aafe

                  SHA256

                  ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                  SHA512

                  dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\raisearchitect.exe
                  Filesize

                  587KB

                  MD5

                  d2ff667b42a5583ae8abe4e470b44bd8

                  SHA1

                  7452b5240dbc26fa8dd41139871671849d108a44

                  SHA256

                  01b8c79e9547474bd42fa2f4bcfa7c01f8a284be74cef169728c23aae543f133

                  SHA512

                  0424f041f9ba668bcbe1d8344731b1137763b164d892842de444c8ecb5851a57a0e82ed7d118584aef89656def7388d9fb233f92ccc4394db2a45c94ae32beed

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\raisearchitect.exe
                  Filesize

                  587KB

                  MD5

                  d2ff667b42a5583ae8abe4e470b44bd8

                  SHA1

                  7452b5240dbc26fa8dd41139871671849d108a44

                  SHA256

                  01b8c79e9547474bd42fa2f4bcfa7c01f8a284be74cef169728c23aae543f133

                  SHA512

                  0424f041f9ba668bcbe1d8344731b1137763b164d892842de444c8ecb5851a57a0e82ed7d118584aef89656def7388d9fb233f92ccc4394db2a45c94ae32beed

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g4zegyw5.2d5.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • memory/752-138-0x0000000000A10000-0x0000000000AAA000-memory.dmp

                  Filesize

                  616KB

                  Download

                • memory/752-139-0x0000000005590000-0x00000000055A0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/752-140-0x0000000007D80000-0x0000000007DA2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/752-157-0x0000000005590000-0x00000000055A0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2128-158-0x00000000075F0000-0x0000000007C6A000-memory.dmp

                  Filesize

                  6.5MB

                  Download

                • memory/2128-162-0x0000000002890000-0x00000000028A0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2128-151-0x0000000005710000-0x0000000005776000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/2128-156-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/2128-144-0x0000000004EE0000-0x0000000005508000-memory.dmp

                  Filesize

                  6.2MB

                  Download

                • memory/2128-143-0x0000000002890000-0x00000000028A0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2128-159-0x0000000006280000-0x000000000629A000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/2128-160-0x0000000002890000-0x00000000028A0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2128-161-0x0000000002890000-0x00000000028A0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2128-145-0x00000000056A0000-0x0000000005706000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/2128-141-0x00000000027D0000-0x0000000002806000-memory.dmp

                  Filesize

                  216KB

                  Download

                • memory/2128-142-0x0000000002890000-0x00000000028A0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/5100-169-0x0000000000400000-0x000000000046C000-memory.dmp

                  Filesize

                  432KB

                  Download

                • memory/5100-170-0x0000000000400000-0x000000000046C000-memory.dmp

                  Filesize

                  432KB

                  Download

                • memory/5100-180-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                  Filesize

                  972KB

                  Download

                • memory/5100-168-0x0000000000400000-0x000000000046C000-memory.dmp

                  Filesize

                  432KB

                  Download

                • memory/5100-166-0x0000000000400000-0x000000000046C000-memory.dmp

                  Filesize

                  432KB

                  Download

                • memory/5100-233-0x0000000000400000-0x000000000046C000-memory.dmp

                  Filesize

                  432KB

                  Download

                • memory/5100-234-0x0000000000400000-0x000000000046C000-memory.dmp

                  Filesize

                  432KB

                  Download