Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com

windows10-2004-x64

10

Resubmissions

09-05-2024 18:25

240509-w2nsmsbc56 10

09-05-2024 08:53

240509-ks9szahf2w 10

09-05-2024 08:52

240509-ks3pnace25 1

08-05-2024 09:27

240508-le3m6sdf7t 10

07-05-2024 10:53

240507-my8tzach4v 5

05-05-2024 15:20

240505-sqqlbadg5s 5

04-05-2024 12:20

240504-phv92sgf24 10

04-05-2024 12:17

240504-pf52gage49 10

03-05-2024 11:11

240503-naq5pafb29 10

30-04-2024 17:26

240430-v1anysbf4y 7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://github.com

  • Sample

    240509-w2nsmsbc56

Score
10/10
dcratvidarzgrat90055089a554b801602b3ac265dc570cdiscoveryexecutioninfostealerratspywarestealerupx

Malware Config

Extracted

Family

vidar

Version

9.2

Botnet

90055089a554b801602b3ac265dc570c

C2

https://steamcommunity.com/profiles/76561199677575543

https://t.me/snsb82
Attributes
  • profile_id_v2

    90055089a554b801602b3ac265dc570c

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Targets

    • Target

      https://github.com

    Score
    10/10
    dcratvidarzgrat90055089a554b801602b3ac265dc570cdiscoveryexecutioninfostealerratspywarestealerupx

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Vidar Stealer

      stealer

    • Detect ZGRat V1

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Nirsoft

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks