Behavioral task
behavioral1
Sample
updater.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
updater.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
updaterExe.exe
Resource
win7-20240508-en
General
-
Target
085824b451f842390ecdf261ececcd40_NeikiAnalytics.cab
-
Size
93KB
-
MD5
085824b451f842390ecdf261ececcd40
-
SHA1
9196c2ce300cafc293f827c6cebe018568a6947e
-
SHA256
bf6022dbfb93e276acd1643baa13109abd22783fade76a064e803c42a3676c94
-
SHA512
1f13e0bc0926b3badd697210835f3032ba03e1c713f75fd1dfc4cc483a7fceef5cc59ba00763880d013a1790cdbf224eb5d1d2c11ad5e53b4dbaf3ee4ebd01a2
-
SSDEEP
1536:KwxZoE1uLDI7oPYu0if4uuWvXB9QRO96hCKPgV9Fzw+CBXVDblKtWy:KwflmDgAYu004LGyRO9bK49Fzw+CBXVK
Malware Config
Extracted
stealc
Extracted
vidar
https://steamcommunity.com/profiles/76561199686524322
https://t.me/k0mono
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
Signatures
-
Detect Vidar Stealer 2 IoCs
Processes:
resource yara_rule static1/unpack001/updater family_vidar_v7 static1/unpack001/updaterExe family_vidar_v7 -
Stealc family
-
Vidar family
-
Unsigned PE 2 IoCs
Checks for missing Authenticode signature.
Processes:
resource unpack001/updater unpack001/updaterExe
Files
-
085824b451f842390ecdf261ececcd40_NeikiAnalytics.cab.cab
-
updater.exe windows:5 windows x86 arch:x86
a34c7216d6536a950566187b3d5a3285
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
msvcrt
_EH_prolog
__CxxFrameHandler3
memcmp
memchr
strncpy
malloc
_wtoi64
atexit
??_V@YAXPAX@Z
memset
strcpy_s
strtok_s
memmove
strchr
memcpy
strcat
??_U@YAPAXI@Z
wcslen
strlen
kernel32
IsProcessorFeaturePresent
LoadLibraryW
ExitProcess
GetCurrentProcess
HeapAlloc
GetProcessHeap
lstrlenA
HeapFree
ReadProcessMemory
VirtualQueryEx
GetComputerNameA
FileTimeToSystemTime
CloseHandle
WaitForSingleObject
CreateThread
GetDriveTypeA
GetLogicalDriveStringsA
CreateDirectoryA
LoadLibraryA
GetStringTypeW
Sleep
MultiByteToWideChar
LCMapStringW
WideCharToMultiByte
GetModuleFileNameW
GetStdHandle
GetProcAddress
GetCurrentThreadId
SetLastError
GetModuleHandleW
OpenProcess
RaiseException
EncodePointer
GetLastError
DecodePointer
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TerminateProcess
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
RtlUnwind
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsSetValue
WriteFile
user32
wsprintfW
CharToOemA
advapi32
RegGetValueA
GetCurrentHwProfileA
RegOpenKeyExA
GetUserNameA
shell32
SHFileOperationA
ole32
CoSetProxyBlanket
CoInitializeSecurity
CoInitializeEx
CoCreateInstance
oleaut32
VariantInit
SysAllocString
SysFreeString
VariantClear
shlwapi
ord155
crypt32
CryptStringToBinaryA
Sections
.text Size: 130KB - Virtual size: 129KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 45KB - Virtual size: 44KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 4KB - Virtual size: 2.1MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 20KB - Virtual size: 19KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
updaterExe.exe windows:5 windows x86 arch:x86
a34c7216d6536a950566187b3d5a3285
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
msvcrt
_EH_prolog
__CxxFrameHandler3
memcmp
memchr
strncpy
malloc
_wtoi64
atexit
??_V@YAXPAX@Z
memset
strcpy_s
strtok_s
memmove
strchr
memcpy
strcat
??_U@YAPAXI@Z
wcslen
strlen
kernel32
IsProcessorFeaturePresent
LoadLibraryW
ExitProcess
GetCurrentProcess
HeapAlloc
GetProcessHeap
lstrlenA
HeapFree
ReadProcessMemory
VirtualQueryEx
GetComputerNameA
FileTimeToSystemTime
CloseHandle
WaitForSingleObject
CreateThread
GetDriveTypeA
GetLogicalDriveStringsA
CreateDirectoryA
LoadLibraryA
GetStringTypeW
Sleep
MultiByteToWideChar
LCMapStringW
WideCharToMultiByte
GetModuleFileNameW
GetStdHandle
GetProcAddress
GetCurrentThreadId
SetLastError
GetModuleHandleW
OpenProcess
RaiseException
EncodePointer
GetLastError
DecodePointer
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TerminateProcess
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
RtlUnwind
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsSetValue
WriteFile
user32
wsprintfW
CharToOemA
advapi32
RegGetValueA
GetCurrentHwProfileA
RegOpenKeyExA
GetUserNameA
shell32
SHFileOperationA
ole32
CoSetProxyBlanket
CoInitializeSecurity
CoInitializeEx
CoCreateInstance
oleaut32
VariantInit
SysAllocString
SysFreeString
VariantClear
shlwapi
ord155
crypt32
CryptStringToBinaryA
Sections
.text Size: 130KB - Virtual size: 129KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 45KB - Virtual size: 44KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 4KB - Virtual size: 2.1MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 20KB - Virtual size: 19KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ