Overview

overview

10

Static

static

3

Undetections.exe

windows7-x64

3

Undetections.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    11s
  • max time network
    13s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 04:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Undetections.exe

  • Size

    1.7MB

  • MD5

    3af8847a68f187e5425af04cfe48d1cf

  • SHA1

    51005458a440023c8537db8a72f19094b91837b4

  • SHA256

    d241425f895f1f32b3f619c33d9b95820a25feb7ded489d449f36ac3c96b9865

  • SHA512

    50917f9580eb47f0b01cc90d57d40dca9eacdf01e5a80089148aa11fdbca2585e4c5cbf046f95c806f0771d4c47b7cfe7e477141d5352a4f9e4bc47ec2002f5e

  • SSDEEP

    12288:5V6HFV6H/YUeD1zgrmoxdGxa1PI+QDXMZ6GQ6ov2m+UtbVkGDvAd1sYV:5UHFUH/+1UrmyWalINbQUv2gVbAdR

Score
10/10
vidarstealer

Malware Config

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199662282318

https://t.me/t8jmhl
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 OPR/108.0.0.0

Signatures

  • Detect Vidar Stealer 3 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Undetections.exe
    "C:\Users\Admin\AppData\Local\Temp\Undetections.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Users\Admin\AppData\Roaming\Undetections\spoofer.exe
      "C:\Users\Admin\AppData\Roaming\Undetections\spoofer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
          PID:3440
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 1112
            4⤵
            • Program crash
            PID:3276
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3440 -ip 3440
      1⤵
        PID:3380

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Undetections\spoofer.exe
              Filesize

              214KB

              MD5

              96ef850d149542b53f033375b1c50cc9

              SHA1

              d1524ed874c286ef4169c588ea2f1f2b8c9993d9

              SHA256

              abb5ba187c21034264cae6ae84962b22c58cbb81442b059b9a0afc3234182c7e

              SHA512

              ca79888198b1aa435ce2d6920068dd409804572d6058dbc68d8ab94983bf92749ba14a8adb5a3aea7cd3883a45eaa9298cf37dc6267aea76473b1b119ed9f2ae

              Download Submit

            • memory/2988-40-0x0000000002FE0000-0x0000000004FE0000-memory.dmp

              Filesize

              32.0MB

              Download

            • memory/2988-38-0x00000000744F0000-0x0000000074CA0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2988-30-0x00000000744F0000-0x0000000074CA0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2988-28-0x0000000000BF0000-0x0000000000C2C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/3440-39-0x0000000000400000-0x0000000000648000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/3440-35-0x0000000000400000-0x0000000000648000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/3440-32-0x0000000000400000-0x0000000000648000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/4556-5-0x0000000005630000-0x000000000563A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4556-9-0x0000000005540000-0x0000000005550000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4556-10-0x0000000005540000-0x0000000005550000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4556-11-0x0000000015B00000-0x0000000015B0A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4556-13-0x0000000015B90000-0x0000000015BA2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4556-8-0x0000000006110000-0x0000000006184000-memory.dmp

              Filesize

              464KB

              Download

            • memory/4556-7-0x0000000005B10000-0x0000000005B24000-memory.dmp

              Filesize

              80KB

              Download

            • memory/4556-6-0x00000000059A0000-0x0000000005AEE000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/4556-0-0x0000000000A40000-0x0000000000BFC000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/4556-4-0x0000000005540000-0x0000000005550000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4556-3-0x0000000005650000-0x00000000056E2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/4556-2-0x0000000005B60000-0x0000000006104000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4556-1-0x00000000744F0000-0x0000000074CA0000-memory.dmp

              Filesize

              7.7MB

              Download