Overview

overview

10

Static

static

7

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    79s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2023, 12:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b644ed105b1208ac7d25de367523aec04f53c18c68d7e389d892a0930cba860b.exe

  • Size

    3.3MB

  • MD5

    d2192209d6892b9bf8e6d155a53b69a5

  • SHA1

    f417394441a253f7f0ef661b00905fa51c71b4fc

  • SHA256

    b644ed105b1208ac7d25de367523aec04f53c18c68d7e389d892a0930cba860b

  • SHA512

    6cbe6898897864cd99579f000806867724c65327125250bb382204e012d375c9211acdac3cdfa36091daee42b0a1394777f69a51ad192ad9dabc7449af4c903f

  • SSDEEP

    49152:B9fBVAeoycp8DtPCrZPKh0wCqMEvhuwteJoltx6I+PGnGToq5aOCDDHV3:BnVAeh+8Dtqtyh5Iw4qZoGnZOCfHl

Score
10/10
vidarhttps://t.me/sundayeventevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

vidar

Version

4.8

Botnet

https://t.me/sundayevent

C2

https://t.me/sundayevent

https://steamcommunity.com/profiles/76561198982268531
Attributes
  • profile_id_v2

    https://t.me/sundayevent

  • user_agent

    Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b644ed105b1208ac7d25de367523aec04f53c18c68d7e389d892a0930cba860b.exe
    "C:\Users\Admin\AppData\Local\Temp\b644ed105b1208ac7d25de367523aec04f53c18c68d7e389d892a0930cba860b.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4752
      • C:\ProgramData\15230580034268200751.exe
        "C:\ProgramData\15230580034268200751.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3364
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\15230580034268200751.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2152
          • C:\Windows\system32\choice.exe
            choice /C Y /N /D Y /T 0
            5⤵
              PID:3024
        • C:\ProgramData\31033182315222576863.exe
          "C:\ProgramData\31033182315222576863.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3960
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /CREATE /TN "DotNetStartup" /TR "C:\ProgramData\DotNetSecurity\DotNetServer.exe" /SC MINUTE /RL HIGHEST
            4⤵
            • Creates scheduled task(s)
            PID:3128
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4088
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 6
            4⤵
            • Delays execution with timeout.exe
            PID:3892
    • C:\ProgramData\DotNetSecurity\DotNetServer.exe
      C:\ProgramData\DotNetSecurity\DotNetServer.exe
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4860

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\15230580034268200751.exe
            Filesize

            13.9MB

            MD5

            93a4e8e9adf632c0d8a16f4b47418803

            SHA1

            24be78227a11ecfbd14c84f8881cc4d26422bfe9

            SHA256

            ecef465a5a60acb69ea5e4017dfe44d441d0127ef958686af8ccca48eae0e135

            SHA512

            7f6d41cf73bbbecb312ea85e06ab56bc9d54fcbb58ef3a68e0c16600284d6e810e029ef6f17970cd3732bcef5bd88566d808d407c54bd874df3f6092b6c1a620

            Download Submit

          • C:\ProgramData\15230580034268200751.exe
            Filesize

            13.9MB

            MD5

            93a4e8e9adf632c0d8a16f4b47418803

            SHA1

            24be78227a11ecfbd14c84f8881cc4d26422bfe9

            SHA256

            ecef465a5a60acb69ea5e4017dfe44d441d0127ef958686af8ccca48eae0e135

            SHA512

            7f6d41cf73bbbecb312ea85e06ab56bc9d54fcbb58ef3a68e0c16600284d6e810e029ef6f17970cd3732bcef5bd88566d808d407c54bd874df3f6092b6c1a620

            Download Submit

          • C:\ProgramData\15230580034268200751.exe
            Filesize

            13.9MB

            MD5

            93a4e8e9adf632c0d8a16f4b47418803

            SHA1

            24be78227a11ecfbd14c84f8881cc4d26422bfe9

            SHA256

            ecef465a5a60acb69ea5e4017dfe44d441d0127ef958686af8ccca48eae0e135

            SHA512

            7f6d41cf73bbbecb312ea85e06ab56bc9d54fcbb58ef3a68e0c16600284d6e810e029ef6f17970cd3732bcef5bd88566d808d407c54bd874df3f6092b6c1a620

            Download Submit

          • C:\ProgramData\31033182315222576863.exe
            Filesize

            4.4MB

            MD5

            45c13576b9eadde3d24494a318fd794f

            SHA1

            d14f9ff23e7b100035ddb35ea321b3d06819d530

            SHA256

            d49592ffea94e11063c973edc95b95e8ce38c592627fe6de6bfd73062b8d3438

            SHA512

            714e46fb431fb0a94a2d307dad8a02e24205c1b3dc74225ed6cb296732e2c657ef4d7fa319a8071c8d0635d8851301df14889ebc5ea4ef3329f7fa523eaa9a3c

            Download Submit

          • C:\ProgramData\31033182315222576863.exe
            Filesize

            4.4MB

            MD5

            45c13576b9eadde3d24494a318fd794f

            SHA1

            d14f9ff23e7b100035ddb35ea321b3d06819d530

            SHA256

            d49592ffea94e11063c973edc95b95e8ce38c592627fe6de6bfd73062b8d3438

            SHA512

            714e46fb431fb0a94a2d307dad8a02e24205c1b3dc74225ed6cb296732e2c657ef4d7fa319a8071c8d0635d8851301df14889ebc5ea4ef3329f7fa523eaa9a3c

            Download Submit

          • C:\ProgramData\31033182315222576863.exe
            Filesize

            4.4MB

            MD5

            45c13576b9eadde3d24494a318fd794f

            SHA1

            d14f9ff23e7b100035ddb35ea321b3d06819d530

            SHA256

            d49592ffea94e11063c973edc95b95e8ce38c592627fe6de6bfd73062b8d3438

            SHA512

            714e46fb431fb0a94a2d307dad8a02e24205c1b3dc74225ed6cb296732e2c657ef4d7fa319a8071c8d0635d8851301df14889ebc5ea4ef3329f7fa523eaa9a3c

            Download Submit

          • C:\ProgramData\DotNetSecurity\DotNetServer.exe
            Filesize

            4.4MB

            MD5

            45c13576b9eadde3d24494a318fd794f

            SHA1

            d14f9ff23e7b100035ddb35ea321b3d06819d530

            SHA256

            d49592ffea94e11063c973edc95b95e8ce38c592627fe6de6bfd73062b8d3438

            SHA512

            714e46fb431fb0a94a2d307dad8a02e24205c1b3dc74225ed6cb296732e2c657ef4d7fa319a8071c8d0635d8851301df14889ebc5ea4ef3329f7fa523eaa9a3c

            Download Submit

          • C:\ProgramData\DotNetSecurity\DotNetServer.exe
            Filesize

            4.4MB

            MD5

            45c13576b9eadde3d24494a318fd794f

            SHA1

            d14f9ff23e7b100035ddb35ea321b3d06819d530

            SHA256

            d49592ffea94e11063c973edc95b95e8ce38c592627fe6de6bfd73062b8d3438

            SHA512

            714e46fb431fb0a94a2d307dad8a02e24205c1b3dc74225ed6cb296732e2c657ef4d7fa319a8071c8d0635d8851301df14889ebc5ea4ef3329f7fa523eaa9a3c

            Download Submit

          • C:\ProgramData\mozglue.dll
            Filesize

            593KB

            MD5

            c8fd9be83bc728cc04beffafc2907fe9

            SHA1

            95ab9f701e0024cedfbd312bcfe4e726744c4f2e

            SHA256

            ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

            SHA512

            fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

            Download Submit

          • C:\ProgramData\nss3.dll
            Filesize

            2.0MB

            MD5

            1cc453cdf74f31e4d913ff9c10acdde2

            SHA1

            6e85eae544d6e965f15fa5c39700fa7202f3aafe

            SHA256

            ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

            SHA512

            dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

            Download Submit

          • memory/3364-270-0x00000000003F0000-0x000000000123D000-memory.dmp

            Filesize

            14.3MB

            Download

          • memory/3960-295-0x0000000000400000-0x0000000000B0E000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/3960-283-0x0000000000C80000-0x0000000000C81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3960-285-0x0000000000400000-0x0000000000B0E000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/3960-284-0x0000000000400000-0x0000000000B0E000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4496-151-0x00000000032C0000-0x00000000032D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4496-178-0x00000000004B0000-0x0000000000B98000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/4496-159-0x00000000032C0000-0x00000000032D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4496-161-0x00000000032C0000-0x00000000032D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4496-163-0x00000000032C0000-0x00000000032D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4496-165-0x00000000032C0000-0x00000000032D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4496-167-0x00000000032C0000-0x00000000032D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4496-169-0x00000000032C0000-0x00000000032D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4496-171-0x00000000032C0000-0x00000000032D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4496-134-0x00000000764F0000-0x00000000765E0000-memory.dmp

            Filesize

            960KB

            Download

          • memory/4496-135-0x00000000764F0000-0x00000000765E0000-memory.dmp

            Filesize

            960KB

            Download

          • memory/4496-136-0x00000000764F0000-0x00000000765E0000-memory.dmp

            Filesize

            960KB

            Download

          • memory/4496-137-0x0000000076EF4000-0x0000000076EF6000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4496-143-0x00000000004B0000-0x0000000000B98000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/4496-179-0x00000000764F0000-0x00000000765E0000-memory.dmp

            Filesize

            960KB

            Download

          • memory/4496-141-0x00000000004B0000-0x0000000000B98000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/4496-155-0x00000000032C0000-0x00000000032D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4496-153-0x00000000032C0000-0x00000000032D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4496-142-0x00000000055F0000-0x000000000568C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/4496-157-0x00000000032C0000-0x00000000032D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4496-133-0x00000000004B0000-0x0000000000B98000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/4496-149-0x00000000032C0000-0x00000000032D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4496-148-0x00000000032C0000-0x00000000032D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4496-147-0x00000000764F0000-0x00000000765E0000-memory.dmp

            Filesize

            960KB

            Download

          • memory/4496-145-0x00000000764F0000-0x00000000765E0000-memory.dmp

            Filesize

            960KB

            Download

          • memory/4496-144-0x00000000764F0000-0x00000000765E0000-memory.dmp

            Filesize

            960KB

            Download

          • memory/4752-259-0x0000000000400000-0x00000000004A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/4752-279-0x0000000000400000-0x00000000004A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/4752-282-0x0000000000400000-0x00000000004A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/4752-258-0x0000000000400000-0x00000000004A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/4752-189-0x0000000061E00000-0x0000000061EF3000-memory.dmp

            Filesize

            972KB

            Download

          • memory/4752-176-0x0000000000400000-0x00000000004A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/4752-174-0x0000000000400000-0x00000000004A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/4752-173-0x0000000000400000-0x00000000004A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/4752-172-0x0000000000400000-0x00000000004A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/4860-298-0x0000000000400000-0x0000000000B0E000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4860-299-0x0000000000B70000-0x0000000000B71000-memory.dmp

            Filesize

            4KB

            Download