Overview

overview

10

Static

static

1

Presentati...fo.exe

windows7-x64

1

Presentati...fo.exe

windows10-2004-x64

10

Resubmissions

02-09-2023 20:13

230902-yzsd6afd3t 10

Analysis

  • max time kernel
    137s
  • max time network
    275s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-09-2023 20:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Presentation info/Presentation info.exe

  • Size

    93.2MB

  • MD5

    e06a97f4714b6d0e62c51b3395a64a6e

  • SHA1

    870e5cc5a18acb41c1377c6a47b4cef76723a2e1

  • SHA256

    5e374fbc3960dd68c2cef4209851103f5623957e9815a0be720befd7899d3cc0

  • SHA512

    b0483408723e5bd786d8170c2b46c25d1f37f2bca9f0f6855c8b94a2acea914dd45a3e479299bd9aeb920d6966667b729e7cbe4a03126945d90e4f33c7169df7

  • SSDEEP

    1572864:UjA+Zh4QkjGuWsqebzyuGqNMnKuEqHhaPd5nC8DDkeZZZZZsOKa1pVeOKCr7ZPo:UjA+P43jRWshbzyuNMnlEqIPrzDkeZZs

Score
10/10
vidar86277575c381e1fefb9bf290d771e6f1spywarestealer

Malware Config

Extracted

Family

vidar

Version

5.4

Botnet

86277575c381e1fefb9bf290d771e6f1

C2

https://steamcommunity.com/profiles/76561199545993403

http://79.137.206.192:80

https://t.me/vogogor
Attributes
  • profile_id_v2

    86277575c381e1fefb9bf290d771e6f1

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.2.13 (KHTML, like Gecko) Version/16.5.2 Safari/605.2.13

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3236
      • C:\Users\Admin\AppData\Local\Temp\Presentation info\Presentation info.exe
        "C:\Users\Admin\AppData\Local\Temp\Presentation info\Presentation info.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1192
      • C:\Users\Admin\AppData\Roaming\propsys\GUP.exe
        "C:\Users\Admin\AppData\Roaming\propsys\GUP.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\SysWOW64\cmd.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:3708
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            4⤵
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3000
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\SysWOW64\explorer.exe" & exit
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4492
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 6
                6⤵
                • Delays execution with timeout.exe
                PID:4808

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      Download Submit

    • C:\ProgramData\nss3.dll
      Filesize

      2.0MB

      MD5

      1cc453cdf74f31e4d913ff9c10acdde2

      SHA1

      6e85eae544d6e965f15fa5c39700fa7202f3aafe

      SHA256

      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

      SHA512

      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\20110b16
      Filesize

      789KB

      MD5

      bc76be427dd97901bc011518f49c97a7

      SHA1

      2e6024cfc516ceed8f555582972b61fdedea09e6

      SHA256

      6204eaddd1ff563fc5447e5623f40cca4ce4fee7c5634a7de14d087ffb0c6902

      SHA512

      7553a661482fdd62b07813ae214a73d1a309ee618d4eb9faf856c7d04858d535582eabb27d11f6c7ab77c7996e9dcc7b727ab62b1613ed4091c8a90eecbb2e2d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\propsys\GUP.exe
      Filesize

      954KB

      MD5

      4620f1ba5072f37bdedf2650c654595d

      SHA1

      7f9079445da0b254457917c97945216eab3536ca

      SHA256

      ff14c25bf61e359668e0eeadb48345737caebf658f04e5b7ab4d4f465d0fd01c

      SHA512

      842a1935e95be85365b24a560c02b6bb9ec424a89c5e4240c28e2c63864da814dd862c5ed32847c5277570bed2cc1f90e94fe23fb5cd9950dbea4de18584313a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\propsys\GUP.exe
      Filesize

      954KB

      MD5

      4620f1ba5072f37bdedf2650c654595d

      SHA1

      7f9079445da0b254457917c97945216eab3536ca

      SHA256

      ff14c25bf61e359668e0eeadb48345737caebf658f04e5b7ab4d4f465d0fd01c

      SHA512

      842a1935e95be85365b24a560c02b6bb9ec424a89c5e4240c28e2c63864da814dd862c5ed32847c5277570bed2cc1f90e94fe23fb5cd9950dbea4de18584313a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\propsys\balletomania.dat
      Filesize

      651KB

      MD5

      2912f77ed01ce8120a5f2f58c4004461

      SHA1

      1e1d45e926ca935cc813cdcd44028c6acd410568

      SHA256

      737e82e773583bc00fc6407d47abc670b319d3a30dad26465b3276d39bed8369

      SHA512

      426023375d76d507c588cef631c4aca1e86ca56109b36eb3c1a71d21180c0d2c0e6ca36b07e7faa099d998dbfa14651de4e5e51107d96632b1505bb8369c3058

      Download Submit

    • C:\Users\Admin\AppData\Roaming\propsys\libcurl.dll
      Filesize

      666KB

      MD5

      a7d4413b2f10c6e6b1663818547e89d1

      SHA1

      16ac5f275430722bbb0f208782202b55646451ca

      SHA256

      632855381a9e80f6f48bea4011f01f2dfa7a42141fe6eeacc58a27947efee196

      SHA512

      a8588dbf67f36b994ae2deb535d27e28d9f747fc1ba4a4303859feb528bedb563775a119f542ce5db1502791fd138eb008b55de29de272a5ca5963ccbe63e5f7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\propsys\libcurl.dll
      Filesize

      666KB

      MD5

      a7d4413b2f10c6e6b1663818547e89d1

      SHA1

      16ac5f275430722bbb0f208782202b55646451ca

      SHA256

      632855381a9e80f6f48bea4011f01f2dfa7a42141fe6eeacc58a27947efee196

      SHA512

      a8588dbf67f36b994ae2deb535d27e28d9f747fc1ba4a4303859feb528bedb563775a119f542ce5db1502791fd138eb008b55de29de272a5ca5963ccbe63e5f7

      Download Submit

    • memory/1192-1-0x00007FF800460000-0x00007FF80078D000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/1192-7-0x0000000000400000-0x0000000000634000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2132-12-0x00007FFFF2020000-0x00007FFFF3697000-memory.dmp

      Filesize

      22.5MB

      Download

    • memory/3000-25-0x00000000003D0000-0x0000000000442000-memory.dmp

      Filesize

      456KB

      Download

    • memory/3000-22-0x00000000003D0000-0x0000000000442000-memory.dmp

      Filesize

      456KB

      Download

    • memory/3000-23-0x00007FF8114D0000-0x00007FF8116C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3000-27-0x0000000000B90000-0x0000000000FC3000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/3000-28-0x0000000061E00000-0x0000000061EF3000-memory.dmp

      Filesize

      972KB

      Download

    • memory/3000-70-0x00000000003D0000-0x0000000000442000-memory.dmp

      Filesize

      456KB

      Download

    • memory/3708-21-0x0000000073F80000-0x00000000751D4000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3708-19-0x0000000073F80000-0x00000000751D4000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3708-18-0x0000000073F80000-0x00000000751D4000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3708-15-0x00007FF8114D0000-0x00007FF8116C5000-memory.dmp

      Filesize

      2.0MB

      Download