Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2023 22:14

General

  • Target

    bank_statement.scr

  • Size

    25MB

  • MD5

    dedd66f7cdc48224fb7fcbc795f69bfd

  • SHA1

    00ab7277c89b9f0608f00997b219881a92e36888

  • SHA256

    b11e85d0eed98a012f018c818f72a0bc0d0521ea132a45a58f5de92da924c225

  • SHA512

    4ea3119416c786ec9667eaa499b3af40d196f4ecf2ffaac5e5b78ccbaba34ab867e302a10fc7964dc95284fafcffdeca3361886dffdc2c2ba2bf2fb5e664b8c3

  • SSDEEP

    393216:iEbUSKA4SNAwLpQfgVehx8oyLZ8Ae0sCK9UCUQkiWajOHkzhSbfA:7bUXA4Vv9eoyt8Ae07K2CUdiWajOHe

Malware Config

Extracted

Family

vidar

Version

4.1

Botnet

850dc0663d2676536f88b82b3382fcb4

C2

https://steamcommunity.com/profiles/76561199510444991

https://t.me/task4manager

Attributes
  • profile_id_v2

    850dc0663d2676536f88b82b3382fcb4

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.34

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bank_statement.scr
    "C:\Users\Admin\AppData\Local\Temp\bank_statement.scr" /S
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwA=
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3328
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:232
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQA=
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2220

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

2
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

  • C:\ProgramData\nss3.dll
    Filesize

    1MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    a3af0fe7f6bead950f076de281a5a1d2

    SHA1

    e55d189a5525b7871835548e5f777de0ff42e755

    SHA256

    ce484ca22f8966e31b9b5aafef1a970d37525122fb7c9d39976e743264f77890

    SHA512

    9818ad2387ceba8fe3afbe60070354c39eb13783653e8e28c84bd7e61678627942a6df06778d4e4b72d525c843d74bd97e4edc93af960e45500912e41c2c5693

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cpui1uvy.xjk.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/232-188-0x0000000061E00000-0x0000000061EF3000-memory.dmp
    Filesize

    972KB

  • memory/232-178-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

  • memory/232-175-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

  • memory/232-256-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

  • memory/232-257-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

  • memory/2220-173-0x00000201F8DD0000-0x00000201F8DE0000-memory.dmp
    Filesize

    64KB

  • memory/2220-172-0x00000201F8DD0000-0x00000201F8DE0000-memory.dmp
    Filesize

    64KB

  • memory/2220-171-0x00000201F8DD0000-0x00000201F8DE0000-memory.dmp
    Filesize

    64KB

  • memory/2704-139-0x00007FF94C230000-0x00007FF94C232000-memory.dmp
    Filesize

    8KB

  • memory/2704-177-0x0000000001FA0000-0x0000000002023000-memory.dmp
    Filesize

    524KB

  • memory/2704-134-0x00007FF94E5A0000-0x00007FF94E5A2000-memory.dmp
    Filesize

    8KB

  • memory/2704-135-0x00007FF94E5B0000-0x00007FF94E5B2000-memory.dmp
    Filesize

    8KB

  • memory/2704-154-0x0000000001FA0000-0x0000000002023000-memory.dmp
    Filesize

    524KB

  • memory/2704-136-0x00007FF94E060000-0x00007FF94E062000-memory.dmp
    Filesize

    8KB

  • memory/2704-140-0x0000000140000000-0x00000001428FF000-memory.dmp
    Filesize

    40MB

  • memory/2704-137-0x00007FF94E070000-0x00007FF94E072000-memory.dmp
    Filesize

    8KB

  • memory/2704-133-0x00007FF94E590000-0x00007FF94E592000-memory.dmp
    Filesize

    8KB

  • memory/2704-138-0x00007FF94C220000-0x00007FF94C222000-memory.dmp
    Filesize

    8KB

  • memory/3328-157-0x0000014499660000-0x0000014499670000-memory.dmp
    Filesize

    64KB

  • memory/3328-144-0x00000144997F0000-0x0000014499812000-memory.dmp
    Filesize

    136KB

  • memory/3328-155-0x0000014499660000-0x0000014499670000-memory.dmp
    Filesize

    64KB

  • memory/3328-156-0x0000014499660000-0x0000014499670000-memory.dmp
    Filesize

    64KB