Malware Analysis Report

2024-09-11 16:39

Sample ID 240614-xgbs1swejq
Target SETAP_9090__Pa$$W0rdS~!!.zip
SHA256 a575539b1d321f7608c041ce115828d7d3615f8011e0f879e39bd83b8ef2bd8c
Tags
stealc vidar discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a575539b1d321f7608c041ce115828d7d3615f8011e0f879e39bd83b8ef2bd8c

Threat Level: Known bad

The file SETAP_9090__Pa$$W0rdS~!!.zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery spyware stealer

Detect Vidar Stealer

Vidar

Stealc

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Downloads MZ/PE file

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks computer location settings

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Checks installed software on the system

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 18:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 18:49

Reported

2024-06-14 18:51

Platform

win7-20240611-en

Max time kernel

37s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 18:49

Reported

2024-06-14 18:51

Platform

win10v2004-20240611-en

Max time kernel

119s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1264 set thread context of 836 N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe C:\Windows\SysWOW64\netsh.exe
PID 2700 set thread context of 4512 N/A C:\ProgramData\DHJEBGIEBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4100 set thread context of 3104 N/A C:\ProgramData\DHDAFBFCFH.exe C:\Windows\SysWOW64\ftp.exe

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe N/A
N/A N/A C:\ProgramData\DHJEBGIEBF.exe N/A
N/A N/A C:\ProgramData\DHDAFBFCFH.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\ProgramData\DHJEBGIEBF.exe N/A
N/A N/A C:\ProgramData\DHDAFBFCFH.exe N/A
N/A N/A C:\ProgramData\DHJEBGIEBF.exe N/A
N/A N/A C:\ProgramData\DHDAFBFCFH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\ProgramData\DHJEBGIEBF.exe N/A
N/A N/A C:\ProgramData\DHDAFBFCFH.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 544 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe
PID 544 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe
PID 1264 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe C:\Windows\SysWOW64\netsh.exe
PID 1264 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe C:\Windows\SysWOW64\netsh.exe
PID 1264 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe C:\Windows\SysWOW64\netsh.exe
PID 1264 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe C:\Windows\SysWOW64\netsh.exe
PID 836 wrote to memory of 2004 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 836 wrote to memory of 2004 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 836 wrote to memory of 2004 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 836 wrote to memory of 2004 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 836 wrote to memory of 2004 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2004 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\DHJEBGIEBF.exe
PID 2004 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\DHJEBGIEBF.exe
PID 2004 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\DHJEBGIEBF.exe
PID 2004 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\DHDAFBFCFH.exe
PID 2004 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\DHDAFBFCFH.exe
PID 2004 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\DHDAFBFCFH.exe
PID 2700 wrote to memory of 4512 N/A C:\ProgramData\DHJEBGIEBF.exe C:\Windows\SysWOW64\ftp.exe
PID 2700 wrote to memory of 4512 N/A C:\ProgramData\DHJEBGIEBF.exe C:\Windows\SysWOW64\ftp.exe
PID 2700 wrote to memory of 4512 N/A C:\ProgramData\DHJEBGIEBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4100 wrote to memory of 3104 N/A C:\ProgramData\DHDAFBFCFH.exe C:\Windows\SysWOW64\ftp.exe
PID 4100 wrote to memory of 3104 N/A C:\ProgramData\DHDAFBFCFH.exe C:\Windows\SysWOW64\ftp.exe
PID 4100 wrote to memory of 3104 N/A C:\ProgramData\DHDAFBFCFH.exe C:\Windows\SysWOW64\ftp.exe
PID 2700 wrote to memory of 4512 N/A C:\ProgramData\DHJEBGIEBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4100 wrote to memory of 3104 N/A C:\ProgramData\DHDAFBFCFH.exe C:\Windows\SysWOW64\ftp.exe
PID 2004 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 452 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 452 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 452 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4512 wrote to memory of 3488 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4512 wrote to memory of 3488 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4512 wrote to memory of 3488 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 3104 wrote to memory of 960 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3104 wrote to memory of 960 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4512 wrote to memory of 3488 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe"

C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe

C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\ProgramData\DHJEBGIEBF.exe

"C:\ProgramData\DHJEBGIEBF.exe"

C:\ProgramData\DHDAFBFCFH.exe

"C:\ProgramData\DHDAFBFCFH.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAFIEBKKJJDA" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 feeldog.xyz udp
US 104.21.13.222:443 feeldog.xyz tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 222.13.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 58.251.201.195.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 104.21.16.123:443 businessdownloads.ltd tcp
US 8.8.8.8:53 123.16.21.104.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.192.193:443 i.imgur.com tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 193.192.232.199.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp

Files

memory/544-0-0x00007FFEE3850000-0x00007FFEE39C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe

MD5 9a4cc0d8e7007f7ef20ca585324e0739
SHA1 f3e5a2e477cac4bab85940a2158eed78f2d74441
SHA256 040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92
SHA512 54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

C:\Users\Admin\AppData\Roaming\Httva\python310.dll

MD5 e31064ef0869d01beb4841879a87a391
SHA1 7c26d7c27215afa8304df18a7a6bc4a03eaf70c5
SHA256 2c9b70db08be7e17ee33130cc8ace2d02d381f7fd9a5cc3b52be9a2e4727c006
SHA512 50036e765f8c95f8511f6961888e42378225c98cf0f57423c3c91a6b154d2220be251e38f1ab04f59cace563c6a8701b08097762f71f875b371655dbdb560622

C:\Users\Admin\AppData\Roaming\Httva\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\AppData\Roaming\Httva\ear.eml

MD5 58b327325f4203803325c7901fb16ccd
SHA1 6fa0f727ebdaf965744ecf0c67cc6b3fcc745620
SHA256 83477ae6d1da7c9f4a88f067b9f15691c66c51c4c82078ab468cc0c04d0d426c
SHA512 a1c85c473490f4eb5008a45a8af9909cb1caf0dd84602ed7ea08c593091a979d0814cd3c7a2cf6681790162e13315f482a05f53477428b1c946e2d96740eb307

C:\Users\Admin\AppData\Roaming\Httva\towel.vhd

MD5 5b9a5e459770a6dd896c725ba08a1e95
SHA1 546e8af7d2c72661ff63e9f57ab3ff009b863041
SHA256 fff2204de2ce109fe1d8e014e9508368c38d40d9f863678bcf3129978f9db424
SHA512 cc4673cb0b411a26a89a9c22241b5fca0107a11ecf1c8dfad1ec65060e64894fc7b2668cfd8ba1f18236b67fb21985fb8cbf5c3c7213d5040ecbad59d9ef6c22

memory/1264-14-0x00007FFEE3AD0000-0x00007FFEE3C42000-memory.dmp

memory/1264-15-0x00007FFEE3AE8000-0x00007FFEE3AE9000-memory.dmp

memory/1264-16-0x00007FFEE3AD0000-0x00007FFEE3C42000-memory.dmp

memory/1264-17-0x00007FFEE3AD0000-0x00007FFEE3C42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8ce131f9

MD5 90509971c88c18bd74edceacd896b7eb
SHA1 923a544630497787f74024eb4194e689cee2cda7
SHA256 3c3f28f20104ebdec87cc14ab4ce1dd9016f5bf83fb650e06b37ef914ceb7704
SHA512 e48e6a95b586295f76182d5734e2f669536a91b18d57bdf743491f5f7f747c57d9ec6de4f1124e76b884e5ab23ccdf710d93cfefddab6ae73919a9a734e20c6e

memory/836-20-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

memory/836-24-0x0000000074971000-0x000000007497F000-memory.dmp

memory/836-23-0x000000007497E000-0x0000000074980000-memory.dmp

memory/836-27-0x0000000074971000-0x000000007497F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2004-29-0x0000000001670000-0x0000000001DBC000-memory.dmp

memory/2004-31-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

memory/2004-38-0x0000000001670000-0x0000000001DBC000-memory.dmp

memory/2004-51-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\CAFIEBKKJJDA\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\CAFIEBKKJJDA\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\DHJEBGIEBF.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/2700-129-0x00000000002E0000-0x00000000007F3000-memory.dmp

memory/2004-134-0x0000000001670000-0x0000000001DBC000-memory.dmp

C:\ProgramData\DHDAFBFCFH.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/4100-145-0x0000000000A90000-0x0000000000CD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44bc09f1

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/2700-151-0x0000000072DD0000-0x0000000072F4B000-memory.dmp

memory/2700-152-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\46c62ef0

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/4100-154-0x0000000072DD0000-0x0000000072F4B000-memory.dmp

memory/4100-155-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

memory/2004-159-0x0000000001670000-0x0000000001DBC000-memory.dmp

memory/2700-164-0x0000000072DD0000-0x0000000072F4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\48241d67

MD5 46bdac9f483097770b223ed661ab39c9
SHA1 5cc11f035d5fc75d6e7be4b9d0839c810f9f9a63
SHA256 cad076b213fba866363f12f14801ae5da272a88e98311350b03deacc47fb19e4
SHA512 aa41e31fc9e23da1b0647318a1af7dae522705b3d63bba6be9ab5b41cdae87c53564da90eb7f05e02813d98b05f765575adc724d579623b95e9c462fbb393e18

memory/4100-167-0x0000000072DD0000-0x0000000072F4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4bafa9e9

MD5 7f7707c7722c94a82dfa5f701e75b6cb
SHA1 194946b9bb3e28e146dc962026ac9e0ed5aea52e
SHA256 66b848500721dd10110446ec2c9b7c133fda564b5f6fe1769c759aa58e653e05
SHA512 964bb12e94967e9eecf6ce39eefb795884854fef9170023d7d0186abb9f3f986b7bcf76c41cd7a8a2117db19c19f04e3e283fff81f80628cf191d46babaa8394

memory/2004-178-0x0000000001670000-0x0000000001DBC000-memory.dmp

memory/4512-179-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

memory/3104-180-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

memory/3104-181-0x0000000072DD0000-0x0000000072F4B000-memory.dmp

C:\ProgramData\CAFIEBKKJJDA\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\CAFIEBKKJJDA\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\CAFIEBKKJJDA\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/4512-196-0x0000000072DD0000-0x0000000072F4B000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 18:49

Reported

2024-06-14 18:51

Platform

win11-20240508-en

Max time kernel

71s

Max time network

81s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Reads data files stored by FTP clients

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1836 set thread context of 3784 N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe C:\Windows\SysWOW64\netsh.exe

Checks installed software on the system

discovery

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4592 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe
PID 4592 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe
PID 1836 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe C:\Windows\SysWOW64\netsh.exe
PID 1836 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe C:\Windows\SysWOW64\netsh.exe
PID 1836 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe C:\Windows\SysWOW64\netsh.exe
PID 1836 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe C:\Windows\SysWOW64\netsh.exe
PID 3784 wrote to memory of 2860 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3784 wrote to memory of 2860 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3784 wrote to memory of 2860 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3784 wrote to memory of 2860 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3784 wrote to memory of 2860 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2860 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2000 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2000 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe"

C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe

C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\coml.au3" & rd /s /q "C:\ProgramData\GCAFCAFHJJDB" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 feeldog.xyz udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 steamcommunity.com udp

Files

memory/4592-0-0x00007FF8F75C0000-0x00007FF8F773A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Httva\python310.dll

MD5 e31064ef0869d01beb4841879a87a391
SHA1 7c26d7c27215afa8304df18a7a6bc4a03eaf70c5
SHA256 2c9b70db08be7e17ee33130cc8ace2d02d381f7fd9a5cc3b52be9a2e4727c006
SHA512 50036e765f8c95f8511f6961888e42378225c98cf0f57423c3c91a6b154d2220be251e38f1ab04f59cace563c6a8701b08097762f71f875b371655dbdb560622

C:\Users\Admin\AppData\Roaming\Httva\vcruntime140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\AppData\Roaming\Httva\towel.vhd

MD5 5b9a5e459770a6dd896c725ba08a1e95
SHA1 546e8af7d2c72661ff63e9f57ab3ff009b863041
SHA256 fff2204de2ce109fe1d8e014e9508368c38d40d9f863678bcf3129978f9db424
SHA512 cc4673cb0b411a26a89a9c22241b5fca0107a11ecf1c8dfad1ec65060e64894fc7b2668cfd8ba1f18236b67fb21985fb8cbf5c3c7213d5040ecbad59d9ef6c22

C:\Users\Admin\AppData\Roaming\Httva\ear.eml

MD5 58b327325f4203803325c7901fb16ccd
SHA1 6fa0f727ebdaf965744ecf0c67cc6b3fcc745620
SHA256 83477ae6d1da7c9f4a88f067b9f15691c66c51c4c82078ab468cc0c04d0d426c
SHA512 a1c85c473490f4eb5008a45a8af9909cb1caf0dd84602ed7ea08c593091a979d0814cd3c7a2cf6681790162e13315f482a05f53477428b1c946e2d96740eb307

C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe

MD5 9a4cc0d8e7007f7ef20ca585324e0739
SHA1 f3e5a2e477cac4bab85940a2158eed78f2d74441
SHA256 040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92
SHA512 54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

memory/1836-14-0x00007FF8F75C0000-0x00007FF8F773A000-memory.dmp

memory/1836-16-0x00007FF8F75C0000-0x00007FF8F773A000-memory.dmp

memory/1836-15-0x00007FF8F75D8000-0x00007FF8F75D9000-memory.dmp

memory/1836-17-0x00007FF8F75C0000-0x00007FF8F773A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b6b83a3e

MD5 f072b0a971478f6e719a7ca569ee0cef
SHA1 80cd0fd73eec419374b803486f8630289b6b2feb
SHA256 858a9b8cddebaf4adc9b5260c1d47f2322c68586825c9a450e8c9b89719e2a1f
SHA512 e1be248b9e5f02f7494dc77f8a2fb69b7709c60d09a46792a81d233581e9fca626a332777f97880b3c4372d979fceba69f8386fb12e43dbec998d81f87464d12

memory/3784-20-0x00007FF9069C0000-0x00007FF906BC9000-memory.dmp

memory/3784-23-0x0000000073D01000-0x0000000073D0F000-memory.dmp

memory/3784-22-0x0000000073D0E000-0x0000000073D10000-memory.dmp

memory/3784-27-0x0000000073D01000-0x0000000073D0F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2860-30-0x0000000001200000-0x000000000194C000-memory.dmp

memory/2860-31-0x00007FF9069C0000-0x00007FF906BC9000-memory.dmp

memory/2860-32-0x0000000001200000-0x000000000194C000-memory.dmp

memory/2860-33-0x0000000001200000-0x000000000194C000-memory.dmp

memory/2860-35-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2860-47-0x0000000001200000-0x000000000194C000-memory.dmp