Analysis
-
max time kernel
56s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/03/2024, 16:30
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
Updater.exe
Resource
win11-20240221-en
Behavioral task
behavioral3
Sample
javaws.jar
Resource
win11-20240221-en
General
-
Target
Setup.exe
-
Size
781.9MB
-
MD5
3e65c79aa68e45aa754a4821466d7c0e
-
SHA1
ddce431cd4e2cfd1c1da4e67fe953cb3ab7ef0d6
-
SHA256
0f1c2451ea8089098d0a326098eabc56c3515309c142f2b041d455629580225a
-
SHA512
e7b77610dc4b4425d4914209d420d9588643e0a966aff92572fdb609327f8736fe06486c616d4028b114c25f1182c7ff87ba3b5bc760c19a0ffd98ec8dbea09c
-
SSDEEP
196608:BaHqFS4OyKE0EoWx7J1YM146W4b1sBUwnFISIWsnp/f+Ny7AeEYuBt:/S4O0lowTW8aBlFISIfn4Ny0FYuBt
Malware Config
Extracted
vidar
8
72c188b514339a2282c548d02df38a4a
https://steamcommunity.com/profiles/76561199644883218
https://t.me/neoschats
-
profile_id_v2
72c188b514339a2282c548d02df38a4a
-
user_agent
Mozilla/5.0 (Linux; Android 11; M2102J20SG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Mobile Safari/537.36 EdgA/97.0.1072.78
Signatures
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral1/memory/4932-6-0x00000000006E0000-0x0000000001ADA000-memory.dmp family_vidar_v7 behavioral1/memory/4932-8-0x00000000006E0000-0x0000000001ADA000-memory.dmp family_vidar_v7 behavioral1/memory/4932-16-0x00000000006E0000-0x0000000001ADA000-memory.dmp family_vidar_v7 -
Program crash 1 IoCs
pid pid_target Process procid_target 3152 4932 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4932 Setup.exe 4932 Setup.exe 4932 Setup.exe 4932 Setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4932 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 23722⤵
- Program crash
PID:3152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4932 -ip 49321⤵PID:4076
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:4604
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,1⤵PID:4988