Analysis
-
max time kernel
144s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
02/05/2024, 01:51
General
-
Target
#!NewFiile_7474_ṔḁṨṨCṏḌḙ$s/Setup.exe
-
Size
8.5MB
-
MD5
98169506fec94c2b12ba9930ad704515
-
SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428
-
SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363
-
SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30
-
SSDEEP
196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK
Malware Config
Extracted
vidar
048d5e906358321b51376c6237a65c77
https://redddog.xyz
https://steamcommunity.com/profiles/76561199677575543
https://t.me/snsb82
-
profile_id_v2
048d5e906358321b51376c6237a65c77
-
user_agent
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Detect Vidar Stealer 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Detect binaries embedding considerable number of MFA browser extension IDs. 1 IoCs
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Program crash 1 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\#!NewFiile_7474_ṔḁṨṨCṏḌḙ$s\Setup.exe"C:\Users\Admin\AppData\Local\Temp\#!NewFiile_7474_ṔḁṨṨCṏḌḙ$s\Setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exeC:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 17564⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3660 -ip 36601⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD53d754cfa4a5b2a3f19720550acf6d3cf
SHA1e5c78edbd54e14a42258a6c223d2cf128530e1b6
SHA2568e5e627881c8182bfbb64601c6f4f7b30ba950dfd10f638f404479406b2c03b8
SHA51218db06443a718b8233ac9724e7f96310bf5841d2c980cd1d02e6fb6743e23acc13bd67fcd214b4c0650ac933f6f081759d699c73e14baf26ffc324c2b30f153b
-
Filesize
6.0MB
MD5bb41ef293851eb8745a92fdb885acc4f
SHA14ba627c2d509efab600e47d4ed443fa819138d1d
SHA256416ff750b3d38a30a2fd4001bbea9af502804d49092c3b70cce1569d032105bb
SHA512c46791150c2bc75cc0b22448f2fdfca16b8f93396864d17fd21c2cc484d5613ddd510a68698d3eca47e2b5472e575e515b142c446090a7f02a08fd51b8b667e6
-
Filesize
4KB
-
Filesize
1.4MB
-
Filesize
25.0MB
-
Filesize
25.0MB
-
Filesize
25.0MB
-
Filesize
25.0MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.9MB
-
Filesize
25.0MB
-
Filesize
25.0MB
-
Filesize
25.0MB
-
Filesize
8KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
7.3MB