Analysis
-
max time kernel
140s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
02/05/2024, 02:01
General
-
Target
@#!!Newest_SoftWare_2024_P@SSCODE_%$/Setup.exe
-
Size
938KB
-
MD5
b15bac961f62448c872e1dc6d3931016
-
SHA1
1dcb61babb08fe5db711e379cb67335357a5db82
-
SHA256
bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5
-
SHA512
932119f7dc6710239481c80ad8baaed5c14a2085fcc514b6522671b1a4ebbaf488e43453f11d5aaf6dcef7a245db8de44d93ff255f7cf8385b7d00f31f2cc370
-
SSDEEP
24576:KjNRyoUXVwSCwfHACpA9EZkHx1KJ9ZiYwadzv:AzyLXVwPwfHACpAfRAhiYwadzv
Malware Config
Extracted
vidar
f98c5b0a7dd3573ec9aac41b4a67f845
https://redddog.xyz
https://steamcommunity.com/profiles/76561199677575543
https://t.me/snsb82
-
profile_id_v2
f98c5b0a7dd3573ec9aac41b4a67f845
-
user_agent
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6
Signatures
-
Detect Vidar Stealer 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Detect binaries embedding considerable number of MFA browser extension IDs. 1 IoCs
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\@#!!Newest_SoftWare_2024_P@SSCODE_%$\Setup.exe"C:\Users\Admin\AppData\Local\Temp\@#!!Newest_SoftWare_2024_P@SSCODE_%$\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exeC:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 18924⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1504 -ip 15041⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.0MB
MD549811e88bfe0d39bb4f9625bbd072de7
SHA11e0510637750684f89148ced19b15d0de2fac2ec
SHA25646c19acbc2eb7dee528230071e73d892d420408128e073903a1931efbf5f6939
SHA512eb98ae7832dba7c2011e9db772c1b074e4c3df38cb7f03b878177d971453a003651e285dcb906fc787c13337e064141aa110d01a110e73ee1991b89c58216e65
-
Filesize
136KB
MD53d754cfa4a5b2a3f19720550acf6d3cf
SHA1e5c78edbd54e14a42258a6c223d2cf128530e1b6
SHA2568e5e627881c8182bfbb64601c6f4f7b30ba950dfd10f638f404479406b2c03b8
SHA51218db06443a718b8233ac9724e7f96310bf5841d2c980cd1d02e6fb6743e23acc13bd67fcd214b4c0650ac933f6f081759d699c73e14baf26ffc324c2b30f153b
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
8KB
-
Filesize
2.0MB
-
Filesize
7.3MB
-
Filesize
2.0MB
-
Filesize
7.3MB
-
Filesize
56KB
-
Filesize
2.0MB
-
Filesize
8KB
-
Filesize
56KB
-
Filesize
56KB