Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
02-05-2024 01:27
General
-
Target
#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180/Setup.exe
-
Size
8.5MB
-
MD5
98169506fec94c2b12ba9930ad704515
-
SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428
-
SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363
-
SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30
-
SSDEEP
196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK
Malware Config
Extracted
vidar
3c6ffb3181118d4e1071419a800b7369
https://redddog.xyz
https://steamcommunity.com/profiles/76561199677575543
https://t.me/snsb82
-
profile_id_v2
3c6ffb3181118d4e1071419a800b7369
-
user_agent
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Detect Vidar Stealer 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Program crash 1 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exeC:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 1484⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\913ce289Filesize
6.0MB
MD5714d0c393a78a6f8fa9d06d7575266cd
SHA11d4681d9b4b493a84500897cb5c7e72475bf1221
SHA256b6497d1c1ff17840db86bdd1f1f39ca3854b73ef700ac82036647343e1a0754c
SHA5127bd6bfb7143679431fd928f86b6204978d7c44771a49dc6f0bb92c13424a6f97a9779afc21690c590cd3a034315950fa1ee5e2e7ecee65158c72a281cd3ddc16
-
\Users\Admin\AppData\Local\Temp\BvInputDiag.exeFilesize
136KB
MD53d754cfa4a5b2a3f19720550acf6d3cf
SHA1e5c78edbd54e14a42258a6c223d2cf128530e1b6
SHA2568e5e627881c8182bfbb64601c6f4f7b30ba950dfd10f638f404479406b2c03b8
SHA51218db06443a718b8233ac9724e7f96310bf5841d2c980cd1d02e6fb6743e23acc13bd67fcd214b4c0650ac933f6f081759d699c73e14baf26ffc324c2b30f153b
-
memory/2688-59-0x00000000004F0000-0x0000000000C3B000-memory.dmpFilesize
7.3MB
-
memory/2688-54-0x00000000004F0000-0x0000000000C3B000-memory.dmpFilesize
7.3MB
-
memory/2688-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2688-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2720-52-0x00000000736D0000-0x0000000073844000-memory.dmpFilesize
1.5MB
-
memory/2720-43-0x00000000736D0000-0x0000000073844000-memory.dmpFilesize
1.5MB
-
memory/2720-47-0x00000000736DE000-0x00000000736E0000-memory.dmpFilesize
8KB
-
memory/2720-48-0x00000000736D0000-0x0000000073844000-memory.dmpFilesize
1.5MB
-
memory/2720-41-0x00000000773E0000-0x0000000077589000-memory.dmpFilesize
1.7MB
-
memory/2972-17-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/2972-38-0x000007FEF6010000-0x000007FEF6168000-memory.dmpFilesize
1.3MB
-
memory/2972-36-0x000007FEF6028000-0x000007FEF6029000-memory.dmpFilesize
4KB
-
memory/2972-37-0x000007FEF6010000-0x000007FEF6168000-memory.dmpFilesize
1.3MB
-
memory/2972-22-0x000007FEF6010000-0x000007FEF6168000-memory.dmpFilesize
1.3MB
-
memory/2972-20-0x00000000048D0000-0x0000000004CCA000-memory.dmpFilesize
4.0MB
-
memory/2972-19-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/2972-0-0x0000000003D50000-0x0000000003F38000-memory.dmpFilesize
1.9MB
-
memory/2972-15-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/2972-16-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/2972-14-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/2972-12-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/2972-10-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB