Extracted

Extracted

Extracted

• • Target

    ver3_appfile.rar

  • Size

    6.9MB

  • MD5

    70a4b0088163ebb0805eeff9bc766658

  • SHA1

    746e8f51637b5861858ef453de04964b4eb23246

  • SHA256

    5104e10875fb2a5e76fff9e552e9007d7be2049546dc8ce7443e2c62de4981ae

  • SHA512

    a0c8be17811298ddb333d4f030b8dc6a12de7f24893d94cacfaac68324baeb68a8e75874ead938ff4dedb6b2ff9b01b85168b005475c5bc87bb4ec4bdb630b28

  • SSDEEP

    98304:nQAcZjsI/pfneEb+NJ5xiMAe74hCXjIXNwpjL2qTFZHc/G3KeM/jl7EuCh8fJAHD:QXZYunlbw5jqByN6k/kVmkA/r

  Score

  10^/10

  privateloaderriseprostealctofseevidarbootkitcollectiondiscoveryevasionexecutionloaderpersistencespywarestealertrojan

  • Detect Vidar Stealer

    stealer

  • Modifies firewall policy service

    evasion

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Creates new service(s)

    persistenceexecution

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Stops running service(s)

    evasionexecution

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1