Overview
overview
10Static
static
3#Frée-Fɨ...up.exe
windows7-x64
10#Frée-Fɨ...up.exe
windows10-2004-x64
10#Frée-Fɨ...se.dll
windows7-x64
1#Frée-Fɨ...se.dll
windows10-2004-x64
1#Frée-Fɨ...-0.dll
windows10-2004-x64
1#Frée-Fɨ...-0.dll
windows10-2004-x64
1#Frée-Fɨ...-0.dll
windows10-2004-x64
1#Frée-Fɨ...-0.dll
windows10-2004-x64
1#Frée-Fɨ...-0.dll
windows10-2004-x64
1#Frée-Fɨ...-0.dll
windows10-2004-x64
1#Frée-Fɨ...-0.dll
windows10-2004-x64
1#Frée-Fɨ...-0.dll
windows10-2004-x64
1#Frée-Fɨ...md.dll
windows7-x64
1#Frée-Fɨ...md.dll
windows10-2004-x64
#Frée-Fɨ...h.pptx
windows7-x64
1#Frée-Fɨ...h.pptx
windows10-2004-x64
1#Frée-Fɨ...er.exe
windows7-x64
1#Frée-Fɨ...er.exe
windows10-2004-x64
1#Frée-Fɨ...40.dll
windows7-x64
1#Frée-Fɨ...40.dll
windows10-2004-x64
1#Frée-Fɨ...ib.dll
windows7-x64
1#Frée-Fɨ...ib.dll
windows10-2004-x64
1#Frée-Fɨ...er.exe
windows7-x64
1#Frée-Fɨ...er.exe
windows10-2004-x64
1#Frée-Fɨ...or.exe
windows7-x64
1#Frée-Fɨ...or.exe
windows10-2004-x64
1#Frée-Fɨ...st.dll
windows7-x64
1#Frée-Fɨ...st.dll
windows10-2004-x64
1#Frée-Fɨ...ml.dll
windows7-x64
1#Frée-Fɨ...ml.dll
windows10-2004-x64
1#Frée-Fɨ...er.dll
windows7-x64
1#Frée-Fɨ...er.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02-05-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/Setup.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/Setup.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/acdbase.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/acdbase.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/api-ms-win-crt-convert-l1-1-0.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral6
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/api-ms-win-crt-environment-l1-1-0.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/api-ms-win-crt-heap-l1-1-0.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral8
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/api-ms-win-crt-runtime-l1-1-0.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/api-ms-win-crt-stdio-l1-1-0.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral10
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/api-ms-win-crt-string-l1-1-0.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral11
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/api-ms-win-crt-time-l1-1-0.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/api-ms-win-crt-utility-l1-1-0.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral13
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/libmmd.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/libmmd.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral15
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/stich.pptx
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/stich.pptx
Resource
win10v2004-20240419-en
Behavioral task
behavioral17
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/updater.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/updater.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/vcruntime140.dll
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/vcruntime140.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral21
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/x64/AzureKeyVaultDgssLib.dll
Resource
win7-20240419-en
Behavioral task
behavioral22
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/x64/AzureKeyVaultDgssLib.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral23
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/x64/BugReporter.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/x64/BugReporter.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral25
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/x64/ComExtractor.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/x64/ComExtractor.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral27
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/x64/Microsoft.Toolkit.Win32.UI.XamlHost.dll
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/x64/Microsoft.Toolkit.Win32.UI.XamlHost.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral29
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/x64/Microsoft.UI.Xaml.dll
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/x64/Microsoft.UI.Xaml.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/x64/WinUiBootstrapper.dll
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/x64/WinUiBootstrapper.dll
Resource
win10v2004-20240419-en
General
-
Target
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/Setup.exe
-
Size
8.5MB
-
MD5
98169506fec94c2b12ba9930ad704515
-
SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428
-
SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363
-
SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30
-
SSDEEP
196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK
Malware Config
Extracted
vidar
3c6ffb3181118d4e1071419a800b7369
https://redddog.xyz
https://steamcommunity.com/profiles/76561199677575543
https://t.me/snsb82
-
profile_id_v2
3c6ffb3181118d4e1071419a800b7369
-
user_agent
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Detect Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2688-54-0x00000000004F0000-0x0000000000C3B000-memory.dmp family_vidar_v7 behavioral1/memory/2688-59-0x00000000004F0000-0x0000000000C3B000-memory.dmp family_vidar_v7 -
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2688-54-0x00000000004F0000-0x0000000000C3B000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/2688-59-0x00000000004F0000-0x0000000000C3B000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Setup.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid process target process PID 2972 set thread context of 2720 2972 Setup.exe netsh.exe -
Loads dropped DLL 5 IoCs
Processes:
netsh.exeBvInputDiag.exeWerFault.exepid process 2720 netsh.exe 2688 BvInputDiag.exe 2528 WerFault.exe 2528 WerFault.exe 2528 WerFault.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
Setup.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Both" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "%SystemRoot%\\System32\\AUDIOENG.dll" Setup.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2528 2688 WerFault.exe BvInputDiag.exe -
Modifies registry class 5 IoCs
Processes:
Setup.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Both" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3} Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "AudioConstrictor Class" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "%SystemRoot%\\System32\\AUDIOENG.dll" Setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Setup.exenetsh.exepid process 2972 Setup.exe 2972 Setup.exe 2720 netsh.exe 2720 netsh.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Setup.exenetsh.exepid process 2972 Setup.exe 2720 netsh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Setup.exenetsh.exeBvInputDiag.exedescription pid process target process PID 2972 wrote to memory of 2720 2972 Setup.exe netsh.exe PID 2972 wrote to memory of 2720 2972 Setup.exe netsh.exe PID 2972 wrote to memory of 2720 2972 Setup.exe netsh.exe PID 2972 wrote to memory of 2720 2972 Setup.exe netsh.exe PID 2972 wrote to memory of 2720 2972 Setup.exe netsh.exe PID 2720 wrote to memory of 2688 2720 netsh.exe BvInputDiag.exe PID 2720 wrote to memory of 2688 2720 netsh.exe BvInputDiag.exe PID 2720 wrote to memory of 2688 2720 netsh.exe BvInputDiag.exe PID 2720 wrote to memory of 2688 2720 netsh.exe BvInputDiag.exe PID 2720 wrote to memory of 2688 2720 netsh.exe BvInputDiag.exe PID 2720 wrote to memory of 2688 2720 netsh.exe BvInputDiag.exe PID 2688 wrote to memory of 2528 2688 BvInputDiag.exe WerFault.exe PID 2688 wrote to memory of 2528 2688 BvInputDiag.exe WerFault.exe PID 2688 wrote to memory of 2528 2688 BvInputDiag.exe WerFault.exe PID 2688 wrote to memory of 2528 2688 BvInputDiag.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exeC:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 1484⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\913ce289Filesize
6.0MB
MD5714d0c393a78a6f8fa9d06d7575266cd
SHA11d4681d9b4b493a84500897cb5c7e72475bf1221
SHA256b6497d1c1ff17840db86bdd1f1f39ca3854b73ef700ac82036647343e1a0754c
SHA5127bd6bfb7143679431fd928f86b6204978d7c44771a49dc6f0bb92c13424a6f97a9779afc21690c590cd3a034315950fa1ee5e2e7ecee65158c72a281cd3ddc16
-
\Users\Admin\AppData\Local\Temp\BvInputDiag.exeFilesize
136KB
MD53d754cfa4a5b2a3f19720550acf6d3cf
SHA1e5c78edbd54e14a42258a6c223d2cf128530e1b6
SHA2568e5e627881c8182bfbb64601c6f4f7b30ba950dfd10f638f404479406b2c03b8
SHA51218db06443a718b8233ac9724e7f96310bf5841d2c980cd1d02e6fb6743e23acc13bd67fcd214b4c0650ac933f6f081759d699c73e14baf26ffc324c2b30f153b
-
memory/2688-59-0x00000000004F0000-0x0000000000C3B000-memory.dmpFilesize
7.3MB
-
memory/2688-54-0x00000000004F0000-0x0000000000C3B000-memory.dmpFilesize
7.3MB
-
memory/2688-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2688-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2720-52-0x00000000736D0000-0x0000000073844000-memory.dmpFilesize
1.5MB
-
memory/2720-43-0x00000000736D0000-0x0000000073844000-memory.dmpFilesize
1.5MB
-
memory/2720-47-0x00000000736DE000-0x00000000736E0000-memory.dmpFilesize
8KB
-
memory/2720-48-0x00000000736D0000-0x0000000073844000-memory.dmpFilesize
1.5MB
-
memory/2720-41-0x00000000773E0000-0x0000000077589000-memory.dmpFilesize
1.7MB
-
memory/2972-17-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/2972-38-0x000007FEF6010000-0x000007FEF6168000-memory.dmpFilesize
1.3MB
-
memory/2972-36-0x000007FEF6028000-0x000007FEF6029000-memory.dmpFilesize
4KB
-
memory/2972-37-0x000007FEF6010000-0x000007FEF6168000-memory.dmpFilesize
1.3MB
-
memory/2972-22-0x000007FEF6010000-0x000007FEF6168000-memory.dmpFilesize
1.3MB
-
memory/2972-20-0x00000000048D0000-0x0000000004CCA000-memory.dmpFilesize
4.0MB
-
memory/2972-19-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/2972-0-0x0000000003D50000-0x0000000003F38000-memory.dmpFilesize
1.9MB
-
memory/2972-15-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/2972-16-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/2972-14-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/2972-12-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/2972-10-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB