Overview

overview

10

Static

static

3

Full_Activ...up.exe

windows7-x64

10

Full_Activ...up.exe

windows10-2004-x64

10

infos/Mana...rp.dll

windows7-x64

1

infos/Mana...rp.dll

windows10-2004-x64

1

infos/Mana...ty.dll

windows7-x64

1

infos/Mana...ty.dll

windows10-2004-x64

1

infos/Mana...ws.dll

windows7-x64

1

infos/Mana...ws.dll

windows10-2004-x64

1

infos/Mana...re.dll

windows7-x64

1

infos/Mana...re.dll

windows10-2004-x64

1

infos/Mana...ml.dll

windows7-x64

1

infos/Mana...ml.dll

windows10-2004-x64

1

infos/Mana...em.dll

windows7-x64

1

infos/Mana...em.dll

windows10-2004-x64

1

infos/Mana...me.dll

windows7-x64

1

infos/Mana...me.dll

windows10-2004-x64

1

infos/Mana...me.dll

windows7-x64

1

infos/Mana...me.dll

windows10-2004-x64

1

infos/Mana...me.dll

windows7-x64

1

infos/Mana...me.dll

windows10-2004-x64

1

infos/Mana...ro.dll

windows7-x64

1

infos/Mana...ro.dll

windows10-2004-x64

1

infos/Mana...le.dll

windows7-x64

1

infos/Mana...le.dll

windows10-2004-x64

1

infos/Mana...le.dll

windows7-x64

1

infos/Mana...le.dll

windows10-2004-x64

1

infos/Mana...le.dll

windows7-x64

1

infos/Mana...le.dll

windows10-2004-x64

1

infos/Mana...le.dll

windows7-x64

1

infos/Mana...le.dll

windows10-2004-x64

1

infos/Mana...le.dll

windows7-x64

1

infos/Mana...le.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-02-2024 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Full_Activate_Setup.exe

  • Size

    7.3MB

  • MD5

    49b6bce6cd0111433969c39a62635f91

  • SHA1

    0e34b4e770cc7d018b955bc14dabb205321e872c

  • SHA256

    29345d9c6ff0106c9032b15e2c88f17bc8972ed843d1b5c044cf17d00f1d45c5

  • SHA512

    4737663a5a6b30779650dcaa461b7751bfb735d2c906d04d877604db5a270f68205e0ff1240f2509f2835d885708b849759b10d22deff3bf0f03579bd1402ff8

  • SSDEEP

    49152:/Ph7SQtfhuOhfEPOBjP9P6SOgjha5VKnRt3RQ9Wpvgt4sbVpEmVT1oG3vTROBYxI:ntBbz3q9QluER

Score
10/10
vidarb86ed69267e5641d44dafebd064d1e80stealer

Malware Config

Extracted

Family

vidar

Version

7.8

Botnet

b86ed69267e5641d44dafebd064d1e80

C2

https://65.109.242.97

https://t.me/karl3on

https://steamcommunity.com/profiles/76561199637071579
Attributes
  • profile_id_v2

    b86ed69267e5641d44dafebd064d1e80

  • user_agent

    Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Signatures

  • Detect Vidar Stealer 3 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Suspicious use of SetThreadContext 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Full_Activate_Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Full_Activate_Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Users\Admin\AppData\Local\Temp\gsd.exe
        C:\Users\Admin\AppData\Local\Temp\gsd.exe
        3⤵
        • Loads dropped DLL
        PID:3112
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 2016
          4⤵
          • Program crash
          PID:2088
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3112 -ip 3112
    1⤵
      PID:2904
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2072
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3116
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:468
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:220
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\02UVB9AJ\microsoft.windows[1].xml
      Filesize

      97B

      MD5

      83971812676cf95291ec7f877a86cc31

      SHA1

      6ba5026046b1fb0c3090ec64bcc1e64de02925f8

      SHA256

      973963be7824f2999e80230d035bb854b1437facf9e58f262e462f4ba438d5a3

      SHA512

      b2bc0be5e4e88c0eb332d364ba90aa54c2cc8d5bc221c22c248e204a58e8b8c60269f134fe427cda1ca013780fa3baffb09a0da34a850fe181f719fe466f0f3e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bd1202d6
      Filesize

      2.2MB

      MD5

      54187a28ac4a10dff367db67959ce8da

      SHA1

      45ab569ed6e52fcf56a56bcfd863cbaf9f9d2231

      SHA256

      eead0c3930b5dff4ab6901eb52190527e47ce8d86f27c8fd8dcc6e8230f8f787

      SHA512

      45f16943bb1955ef50236dbcee66741b909c2cf42313ea91613e1ab90d8db9625d9656d117d32c86827c2e4940bb80e582fd53fa1a09c169dc803e472830b42b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gsd.exe
      Filesize

      82KB

      MD5

      9e368252cee939f6a19df11945968a54

      SHA1

      633407597d5ef809dacfcc176b5bdebe4b3e92d8

      SHA256

      dc1175b2170d87f53512761950ac3fbfd13afabade3ed4ae18627c4625a58dfd

      SHA512

      7b6a03bec0f8c17c030621b5da8e39b0662ecad6e41f44d8085d6d8d0cae62452ed1dafac9f678b9355f804997b7feb9c7ebd981172b45144b76c98e3d30fe61

      Download Submit

    • C:\vcredist2010_x64.log-MSI_vc_red.msi.txt
      Filesize

      380KB

      MD5

      85910654a936a41f94b8629ff194ce7d

      SHA1

      c1a3b8b25f6e1ff581768fa98b0cf3b6c1a0f3bf

      SHA256

      1f2c9f0fecbde78f3c4c1b264ac93f009ff060e70d33e34906eb185fb70592ca

      SHA512

      e6b95670ba24901504fd0b461fb15bc9d607a9fe8e22bd328a73600b9eda84aebca8e1218e648e3a4f4e828f423c3ed6be0b005989bd216edc984eafd7ee96c8

      Download Submit

    • C:\vcredist2010_x64.log.html
      Filesize

      86KB

      MD5

      91e809f673318c00f1ce79aad41b691a

      SHA1

      e94e83fca12a9deef9bbfc2686ed3c75b6de4f63

      SHA256

      b01b1da7a0203d87772453f645d5b5681f93410a6900752f4850b3f239dd73fa

      SHA512

      df1ce02bb78dd4d777487fd98b1636989ca9b246b5bab747ecc22aad956441e3bcdd81d0ef0f8bd5c45e2da6f6c89355d7baeffcb75457080d517812d0380ffb

      Download Submit

    • C:\vcredist2010_x86.log-MSI_vc_red.msi.txt
      Filesize

      394KB

      MD5

      0c6a4915cf597a84ea7334ed9b2a8e3d

      SHA1

      eb18e8d1d30e1a9833ca6f1b100dd86bb32d19d5

      SHA256

      1265f9584717c93dd261146e23614ad7d13fe2306ead63aec943c45464ec1c66

      SHA512

      a7874323e787744b0bdc60d35584c9b524620bde9d9a5bf2b619c4ff4ab60932c114f04c64711008e2381fd0a85cc769368ed6722425931eed9c693dedf38bf4

      Download Submit

    • C:\vcredist2010_x86.log.html
      Filesize

      80KB

      MD5

      13779298e5c08aba1739cf1556b5c464

      SHA1

      8829632fb09b567783dd51b76614c79ffe4960de

      SHA256

      5e6487e8401f70cda3f57c9da3fec39ecece4e0ddb21de01a63df38bcf6c8ea7

      SHA512

      a92c80a6cc4e12cde902ee3fbab552894cd1f7c20f62e2134eb379a7ff35644610bd326d20bde282d83e7287fc4233edf12c47cc6f54b66104cd04bac5cee561

      Download Submit

    • C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log
      Filesize

      167KB

      MD5

      0d02301e6f50449ad25b030a63c58df9

      SHA1

      565546e96b9a0b8c18e652c29058cd57299d093b

      SHA256

      d867b7bbdc252c9ffb2e93f9419ce25d86c375c1832cb52f32538e808e4e5211

      SHA512

      e79e0945739f13a04fc56904de9d3ebe12bbeea8c3f6c4f4f76ffb5a7b0b0c0c63a7be41760dd5a1dbd1017dbb09c4dec97791c6f9f358485253c28cf0f396d1

      Download Submit

    • C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log
      Filesize

      195KB

      MD5

      d5a6e39037d8b0f61ee2a4ff69edaab3

      SHA1

      03f580d36e7479be89fc0a7be6945afdf58aa43f

      SHA256

      b20c96f3091ec5c5516b26308a18f68402a24b24d327520ded14c287833f0318

      SHA512

      7202783035fee80a136359b57a153a0b7dc9619ef9d5937b31f2316fbecc7361b1024458fb2e5768e7e0d7bb20d0ac3c5950bbad32689df01480567ae661aa20

      Download Submit

    • C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log
      Filesize

      170KB

      MD5

      624804fe39aeae57951d2e802efbfbbe

      SHA1

      b7cac2bb32fd3228319784b5a85abab3a882392e

      SHA256

      4c772b2658ce424d27fc54b498a0f9b86614a6c25153a90460cb2cabbbc6714e

      SHA512

      17020e4cbbfd970554b7ae462b4fc890644b0edc74269302f8d1a03897013348502498df9d2e07c6a47634d933f30b06b705673ac32404cdb2cbbda4772d5564

      Download Submit

    • C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log
      Filesize

      208KB

      MD5

      992a1a5e219bb66943ee52de398ac300

      SHA1

      fe6449534b04025b3afa911f4f2674f4b3c0072d

      SHA256

      43274752695d9eac5b96bb9c5ff5952428c32df1064b79d915002b86ed73a897

      SHA512

      86211e180ec5503a97b68fba973101b73c4c646053676c87bcc5b758af17178af431983a7e25f3c57f89c413deb93c9e7d03e4313e37de11573f310553be9366

      Download Submit

    • C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log
      Filesize

      170KB

      MD5

      38b110c34cdfd0d9880697ab7186bf7f

      SHA1

      ae26d349d2db95039570b404db04cacaceb45c0e

      SHA256

      bd861d03800a32239b5e5e36130966bf55e15b59accb9aca5df3c7ef881b0d75

      SHA512

      9a83b37b9e551341c01c0bc6fc687ee77bf9dc187b48e0a549b2dfd4812c515d64e4a46154ac5c6719af4851e4e6137ee36faf78eed8b1547878ba728dbd771c

      Download Submit

    • C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log
      Filesize

      190KB

      MD5

      04bb658a5ad78df51b3aded018a1b4f0

      SHA1

      6c34d03d1e8bf69cf9132c13ac51015bcd9501ef

      SHA256

      f60ed799eedc8873cbed6fa79992fe3c39a90f383671587cee600f44d6d823cc

      SHA512

      7300ab654b28122886349e72dd307de674af4a0b2ba7a6b6a0b92c5636f5edf980ef30185aa2407d731f91994155f7b74c2ca95c78e97990a8eff9ac1c275cae

      Download Submit

    • C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log
      Filesize

      170KB

      MD5

      32a854862c76c04dfca5223eb047c5d2

      SHA1

      87480d42746c3784605f6cb039ea6e2f2753b23d

      SHA256

      fd73283b3ffc2132e3bade6f06f4faa6b26bd48f164e9cfd151b4e7981219d93

      SHA512

      697f9174ce7d7ffe1b33c0875c44d5c563a29913f596ade930a1c759c1b41b69b78641651dac98547293182efc8236771e4226961b8f1ce9eda73bfb1501f360

      Download Submit

    • C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log
      Filesize

      198KB

      MD5

      cd3173f2f6574f504b83cda9355b0856

      SHA1

      184f9aa361a07f60a45bac8da42c27893db1b7fd

      SHA256

      274a9a116e33cdbc9debccdbb6ecee9369944a300c2d0035fa19e63a463d460a

      SHA512

      6746887b6f0269f914d7ab149d3692bb77c140410bd5157860daa577041278a515ef689c29ec53b46733505cb33613d0137a106d7b7f29e91d7a985191622f0b

      Download Submit

    • C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log
      Filesize

      123KB

      MD5

      a804ca71a43515fc1f3f4a8f5aec1c23

      SHA1

      c350ad0b555050cbaf8fb7c7c957b578abcdccef

      SHA256

      2728c38a44d57a7499117ad0eeecec6213437c4273085c0e3d20554880ea4f95

      SHA512

      7c7823be1cd0c862568adc7482dc30ce4fdba7f51aa587f8567b66c5567561f0200b77b8ec026eba3e6f2f9165c470316b76b8d3a75900edb0f238eec5b2c966

      Download Submit

    • C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log
      Filesize

      129KB

      MD5

      07646605398faf6330454cef7ea4baef

      SHA1

      98381c0c3d80f62168410eb02168273825ef24bd

      SHA256

      15ffb37a0423351aa91f4544768d24b5cd5702a0613dffd7b368e24532792fa8

      SHA512

      3451deaf7556adaf49a1210d8c698eba049bc57b6f4c4997ffbe6e71d8da287cfc82bc23d9de1737f69f6e3c6327d08015b664227c296bb85ebafb8a319f21d9

      Download Submit

    • C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log
      Filesize

      123KB

      MD5

      2e61f39c371d627cbe0c4be8b295efb5

      SHA1

      f42a81f5e34d403e82ca5ab9e03d4ad463538f2b

      SHA256

      77e3252b6d9181c37d591fb579a7965554609ec8fd22cf2f42b1c26b82c7ebc8

      SHA512

      40f1b941fe303b64ba0090098bf30190137eb001d9896747467f4b12f5af674c07451d9025dad647dd6bd1e03054360b0493651c5a2a59738775ed025bcd5ba3

      Download Submit

    • C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log
      Filesize

      135KB

      MD5

      bc993a296318caf48a714cd070f2a324

      SHA1

      98ff323e7309ea4b4d41767858e01d1e05c19e2f

      SHA256

      0ea5f427e430b366d0015f6cdc446432cb604af94a05dfd20f7b9ba3c0361034

      SHA512

      a8e0a29e4854a75f9e33f49a9e8201098c5ebcb811a8a48e8bf9b083334afa897501a89ca769ee23e77f972afdf84082474c1a918556a45119b4d59c624c2555

      Download Submit

    • memory/220-111-0x00000278D9FA0000-0x00000278D9FC0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/220-113-0x00000278D9F60000-0x00000278D9F80000-memory.dmp

      Filesize

      128KB

      Download

    • memory/220-116-0x00000278DA370000-0x00000278DA390000-memory.dmp

      Filesize

      128KB

      Download

    • memory/468-97-0x0000019E40760000-0x0000019E40780000-memory.dmp

      Filesize

      128KB

      Download

    • memory/468-90-0x0000019E40390000-0x0000019E403B0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/468-93-0x0000019E40350000-0x0000019E40370000-memory.dmp

      Filesize

      128KB

      Download

    • memory/968-9-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/968-15-0x0000000074E20000-0x0000000074F9B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/968-12-0x0000000074E20000-0x0000000074F9B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/968-11-0x0000000074E20000-0x0000000074F9B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2072-48-0x0000022180940000-0x0000022180960000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2072-50-0x0000022180900000-0x0000022180920000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2072-52-0x0000022180D00000-0x0000022180D20000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2800-7-0x0000000000400000-0x0000000000B62000-memory.dmp

      Filesize

      7.4MB

      Download

    • memory/2800-5-0x00007FFBA5650000-0x00007FFBA57C2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2800-4-0x00007FFBA5650000-0x00007FFBA57C2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2800-0-0x00007FFBA5650000-0x00007FFBA57C2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3112-21-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3112-23-0x0000000000F20000-0x0000000001668000-memory.dmp

      Filesize

      7.3MB

      Download

    • memory/3112-22-0x0000000000F20000-0x0000000001668000-memory.dmp

      Filesize

      7.3MB

      Download

    • memory/3112-19-0x0000000000F20000-0x0000000001668000-memory.dmp

      Filesize

      7.3MB

      Download

    • memory/3112-18-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3116-73-0x0000019CBC2A0000-0x0000019CBC2C0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3116-71-0x00000194BAE90000-0x00000194BAEB0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3116-69-0x00000194BAED0000-0x00000194BAEF0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4032-129-0x00000162E8ED0000-0x00000162E8EF0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4032-131-0x00000162E8E90000-0x00000162E8EB0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4032-134-0x00000162E9540000-0x00000162E9560000-memory.dmp

      Filesize

      128KB

      Download