Analysis Overview
SHA256
2819a0766eaeae0bd917d587010086905fa4790370eef236965602147cdc053f
Threat Level: Known bad
The file #[email protected] was found to be: Known bad.
Malicious Activity Summary
Vidar
Banload
Detect Vidar Stealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Suspicious use of SetThreadContext
Registers COM server for autorun
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-01 19:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-01 19:45
Reported
2024-05-01 19:53
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Banload
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5064 set thread context of 2844 | N/A | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | C:\Windows\SysWOW64\netsh.exe |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "ADOX.Index.6.0" | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3} | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID\ = "ADOX.Index.6.0" | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID\ = "ADOX.Index.6.0" | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1288 -ip 1288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 1576
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hypaton.xyz | udp |
| US | 104.21.90.147:443 | hypaton.xyz | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.90.21.104.in-addr.arpa | udp |
| US | 104.21.90.147:443 | hypaton.xyz | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 104.21.90.147:443 | hypaton.xyz | tcp |
| US | 104.21.90.147:443 | hypaton.xyz | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/5064-0-0x0000000003F10000-0x00000000040F8000-memory.dmp
memory/5064-10-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/5064-12-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/5064-15-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/5064-17-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/5064-14-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/5064-16-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/5064-19-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/5064-20-0x00007FFB46D10000-0x00007FFB46E82000-memory.dmp
memory/5064-35-0x00007FFB46D10000-0x00007FFB46E82000-memory.dmp
memory/5064-34-0x00007FFB46D28000-0x00007FFB46D29000-memory.dmp
memory/5064-36-0x00007FFB46D10000-0x00007FFB46E82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8b365030
| MD5 | f6b9e593d436b91ce68e5eb534ea5a54 |
| SHA1 | 1282b0667b69d93fdbfd38097e97286edf807b07 |
| SHA256 | 6892755ec3b27a14278cf63e1d69ceb0f9b0a6b1c8aa84f9aac07e72760dc35e |
| SHA512 | 0f46e72cfa9eac30cdaa5eaa999c2fdda77945029b5f3f04deb18e199ec3005b0c699c8ae6fe19b2df1f163ac9e10850a79f3098e796b4b6e34aec9205252fd6 |
memory/2844-39-0x00007FFB65130000-0x00007FFB65325000-memory.dmp
memory/2844-40-0x0000000074AFE000-0x0000000074B00000-memory.dmp
memory/2844-41-0x0000000074AF1000-0x0000000074AFF000-memory.dmp
memory/2844-44-0x0000000074AF1000-0x0000000074AFF000-memory.dmp
memory/1288-45-0x0000000001170000-0x00000000018C3000-memory.dmp
memory/1288-47-0x00007FFB65130000-0x00007FFB65325000-memory.dmp
memory/1288-48-0x0000000001170000-0x00000000018C3000-memory.dmp
memory/1288-55-0x0000000001170000-0x00000000018C3000-memory.dmp