Malware Analysis Report

2024-11-16 13:50

Sample ID 240628-mvfzsaxhjm
Target lntsaII3r_3.1.9_win_64-86.set-up+P0rtbIExten.rar
SHA256 4355a412e52f33235565e87b52caaae5d9dcd4942ae6eb2fe3a385fab3497cd1
Tags
stealc vidar bd7a7ef85507e39998176b88b253bdb9 persistence privilege_escalation stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4355a412e52f33235565e87b52caaae5d9dcd4942ae6eb2fe3a385fab3497cd1

Threat Level: Known bad

The file lntsaII3r_3.1.9_win_64-86.set-up+P0rtbIExten.rar was found to be: Known bad.

Malicious Activity Summary

stealc vidar bd7a7ef85507e39998176b88b253bdb9 persistence privilege_escalation stealer

Detect Vidar Stealer

Vidar

Stealc

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Program crash

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 10:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 10:46

Reported

2024-06-28 10:50

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\lntsaII3r_3.1.9_win_64-86.set-up+P0rtbIExten.rar

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2540 set thread context of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe C:\Windows\SysWOW64\netsh.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\coml.au3

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2880 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2880 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2188 wrote to memory of 2540 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe
PID 2188 wrote to memory of 2540 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe
PID 2188 wrote to memory of 2540 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe
PID 2540 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2540 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2540 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2540 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2540 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2988 wrote to memory of 2800 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2988 wrote to memory of 2800 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2988 wrote to memory of 2800 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2988 wrote to memory of 2800 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2988 wrote to memory of 2800 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2988 wrote to memory of 2800 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2800 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2800 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2800 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2800 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2188 wrote to memory of 2116 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\NOTEPAD.EXE
PID 2188 wrote to memory of 2116 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\NOTEPAD.EXE
PID 2188 wrote to memory of 2116 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\lntsaII3r_3.1.9_win_64-86.set-up+P0rtbIExten.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\lntsaII3r_3.1.9_win_64-86.set-up+P0rtbIExten.rar"

C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 148

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC88FDCD7\ReadMe(!).txt

Network

N/A

Files

memory/2540-32-0x0000000140000000-0x00000001407DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b53721c

MD5 957edcb00ce0b522499f6c799ea11053
SHA1 b1c91d93701d206820e45118e0df50d34790d27d
SHA256 e4456eea3e2fca53bc2a06fd247eba74bf668c39069d5c821d082ef7dfa03f5d
SHA512 167cb1c01f28bc40f85d0d8f895346d147a286811550142ebdf659cc4ba92f015d4def386d58adf4c48b1946ee31ddd8dcbef50ba09533889e9ad161c9867eb6

memory/2540-40-0x000007FEF5F10000-0x000007FEF6068000-memory.dmp

memory/2540-41-0x000007FEF5F10000-0x000007FEF6068000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fd70d43

MD5 9131a5c0caa4d7c3ec19b7bea3535a3f
SHA1 a100c2102819f79682a3c3c02392ee9292b328ef
SHA256 bad23670a06b14d9dabd9c41b81807cb6dbe17445834e6c89f1aeb1f13eef70d
SHA512 eab43616cae3b0339e9bf575a04ffebb97de11c74bc4cf8c1657800734a3c45c6ec8fd5e6273eecfb273581a7d1a67ebf298b771c2cd2cab2ab1f0522d02ceef

memory/2988-44-0x0000000077270000-0x0000000077419000-memory.dmp

\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2988-46-0x00000000733A0000-0x0000000073514000-memory.dmp

memory/2800-52-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2800-51-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2800-54-0x00000000005D0000-0x0000000000D1B000-memory.dmp

memory/2800-61-0x00000000005D0000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zOC88FDCD7\ReadMe(!).txt

MD5 bcd44e1dc4b8c98bfe46334c05c50851
SHA1 2312cd4e3279d57c64fbfbfffbc98cc9e0e6b720
SHA256 116d7fc2ff0d14b5a94007416a5d78c97d8a8779c6b02b2067a4fce3534f3406
SHA512 21ed99c0787e05cb16d5a46db01351aca43abe5a6c6cf82b8a6148f157f454377e7cafcf7336c6c275abd2caab63feb40a312bf416d75c2eca1d7dba3ef34549

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 10:46

Reported

2024-06-28 10:50

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\lntsaII3r_3.1.9_win_64-86.set-up+P0rtbIExten.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\lntsaII3r_3.1.9_win_64-86.set-up+P0rtbIExten.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A