Analysis Overview
SHA256
dae1412cddc24c46fb6fa756fed01269f6fb9608bb1b5e4ba342918b7d1aacd6
Threat Level: Known bad
The file dae1412cddc24c46fb6fa756fed01269f6fb9608bb1b5e4ba342918b7d1aacd6 was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
Stealc
Vidar
Downloads MZ/PE file
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Checks processor information in registry
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 14:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 14:07
Reported
2024-06-14 14:09
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
54s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4872 set thread context of 1580 | N/A | C:\Users\Admin\AppData\Local\Temp\dae1412cddc24c46fb6fa756fed01269f6fb9608bb1b5e4ba342918b7d1aacd6.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dae1412cddc24c46fb6fa756fed01269f6fb9608bb1b5e4ba342918b7d1aacd6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dae1412cddc24c46fb6fa756fed01269f6fb9608bb1b5e4ba342918b7d1aacd6.exe
"C:\Users\Admin\AppData\Local\Temp\dae1412cddc24c46fb6fa756fed01269f6fb9608bb1b5e4ba342918b7d1aacd6.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\IJDGCAEBFIIE" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
Files
memory/4872-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp
memory/4872-1-0x0000000000F60000-0x00000000013F8000-memory.dmp
memory/4872-2-0x0000000005CD0000-0x0000000005D6C000-memory.dmp
memory/4872-4-0x0000000074B80000-0x0000000075330000-memory.dmp
memory/4872-3-0x0000000005D70000-0x0000000005E90000-memory.dmp
memory/4872-5-0x0000000005C90000-0x0000000005CAC000-memory.dmp
memory/4872-9-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-7-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-6-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-45-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-65-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-63-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/1580-68-0x0000000000400000-0x0000000000648000-memory.dmp
memory/1580-66-0x0000000000400000-0x0000000000648000-memory.dmp
memory/4872-70-0x0000000074B80000-0x0000000075330000-memory.dmp
memory/4872-61-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-59-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-57-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/1580-71-0x0000000000400000-0x0000000000648000-memory.dmp
memory/4872-55-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-53-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-51-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-49-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-47-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-43-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-42-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-39-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-37-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-35-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-34-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-31-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-29-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-27-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-25-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-23-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-21-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-17-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-16-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-13-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-11-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/4872-20-0x0000000005C90000-0x0000000005CA5000-memory.dmp
memory/1580-72-0x0000000000400000-0x0000000000648000-memory.dmp
memory/1580-73-0x0000000000400000-0x0000000000648000-memory.dmp
memory/1580-75-0x0000000000400000-0x0000000000648000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 14:07
Reported
2024-06-14 14:09
Platform
win11-20240611-en
Max time kernel
90s
Max time network
114s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Downloads MZ/PE file
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1648 set thread context of 3828 | N/A | C:\Users\Admin\AppData\Local\Temp\dae1412cddc24c46fb6fa756fed01269f6fb9608bb1b5e4ba342918b7d1aacd6.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dae1412cddc24c46fb6fa756fed01269f6fb9608bb1b5e4ba342918b7d1aacd6.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dae1412cddc24c46fb6fa756fed01269f6fb9608bb1b5e4ba342918b7d1aacd6.exe
"C:\Users\Admin\AppData\Local\Temp\dae1412cddc24c46fb6fa756fed01269f6fb9608bb1b5e4ba342918b7d1aacd6.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | tcp | |
| DE | 195.201.251.58:9000 | tcp | |
| DE | 195.201.251.58:9000 | tcp | |
| DE | 195.201.251.58:9000 | tcp | |
| DE | 195.201.251.58:9000 | tcp | |
| DE | 195.201.251.58:9000 | tcp | |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| RU | 5.42.65.116:80 | tcp |
Files
memory/1648-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp
memory/1648-1-0x0000000000330000-0x00000000007C8000-memory.dmp
memory/1648-2-0x00000000051A0000-0x000000000523C000-memory.dmp
memory/1648-3-0x0000000005340000-0x0000000005460000-memory.dmp
memory/1648-4-0x0000000074A10000-0x00000000751C1000-memory.dmp
memory/1648-5-0x0000000002AA0000-0x0000000002ABC000-memory.dmp
memory/1648-37-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-47-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-45-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-43-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-41-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-39-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-35-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-33-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-23-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-21-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-19-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-17-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-15-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-11-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-7-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-65-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/3828-66-0x0000000000400000-0x0000000000648000-memory.dmp
memory/3828-68-0x0000000000400000-0x0000000000648000-memory.dmp
memory/1648-70-0x0000000074A10000-0x00000000751C1000-memory.dmp
memory/1648-71-0x0000000074A10000-0x00000000751C1000-memory.dmp
memory/3828-72-0x0000000000400000-0x0000000000648000-memory.dmp
memory/1648-63-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-61-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-59-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-57-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-53-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-51-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-55-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-49-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-31-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-29-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-27-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-25-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-13-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-9-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/1648-6-0x0000000002AA0000-0x0000000002AB5000-memory.dmp
memory/3828-75-0x0000000000400000-0x0000000000648000-memory.dmp
memory/3828-124-0x0000000000400000-0x0000000000648000-memory.dmp