Malware Analysis Report

2024-11-16 13:47

Sample ID 240628-w66t1sydme
Target !!fUlLSetup_3355_P@ssKeys!!.zip
SHA256 e3f61f01d319d83d17da2eca4a7c2b04aa51bdf84ec780f80be7698bdfded535
Tags
execution stealc vidar discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3f61f01d319d83d17da2eca4a7c2b04aa51bdf84ec780f80be7698bdfded535

Threat Level: Known bad

The file !!fUlLSetup_3355_P@ssKeys!!.zip was found to be: Known bad.

Malicious Activity Summary

execution stealc vidar discovery spyware stealer

Detect Vidar Stealer

Stealc

Vidar

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Reads data files stored by FTP clients

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 18:33

Signatures

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win10v2004-20240508-en

Max time kernel

90s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4bfd2d106.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4bfd2d106.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win7-20240508-en

Max time kernel

122s

Max time network

130s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~5303f55e9.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~5303f55e9.js

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~074e593a7.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~074e593a7.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win7-20240508-en

Max time kernel

121s

Max time network

129s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~13bdaad06.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~13bdaad06.js

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~643d02cb5.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~643d02cb5.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win7-20240611-en

Max time kernel

120s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4bfd2d106.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4bfd2d106.js

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win7-20240508-en

Max time kernel

117s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~57063afaa.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~57063afaa.js

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:37

Platform

win10v2004-20240226-en

Max time kernel

128s

Max time network

172s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~05c32d390.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~05c32d390.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win10v2004-20240508-en

Max time kernel

90s

Max time network

98s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~57063afaa.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~57063afaa.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win7-20240220-en

Max time kernel

118s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~1e47f672e.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~1e47f672e.js

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:37

Platform

win7-20240611-en

Max time kernel

122s

Max time network

136s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~2dcc5aaf7.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~2dcc5aaf7.js

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win7-20231129-en

Max time kernel

118s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~32b5733f1.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~32b5733f1.js

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win10v2004-20240508-en

Max time kernel

126s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~32b5733f1.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~32b5733f1.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 95.12.20.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win7-20240508-en

Max time kernel

118s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4611591fd.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4611591fd.js

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win7-20240220-en

Max time kernel

119s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~00299a408.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~00299a408.js

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~11d764003.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~11d764003.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:37

Platform

win7-20240611-en

Max time kernel

122s

Max time network

135s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~05c32d390.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~05c32d390.js

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win7-20240508-en

Max time kernel

118s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~074e593a7.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~074e593a7.js

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win7-20240508-en

Max time kernel

119s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~11d764003.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~11d764003.js

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~2dcc5aaf7.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~2dcc5aaf7.js

Network

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:37

Platform

win10v2004-20240226-en

Max time kernel

130s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~3fde5681b.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~3fde5681b.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win10v2004-20240508-en

Max time kernel

49s

Max time network

52s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4611591fd.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4611591fd.js

Network

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:37

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1628 set thread context of 448 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 214.251.201.195.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
US 8.8.8.8:53 professionalresources.pw udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/1628-0-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

memory/1628-1-0x0000000000400000-0x0000000000B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b619da7f

MD5 e9036df928c31d7ba3f8ed63275a9dc2
SHA1 d1effabbdb38682cf73f6ddb5f0170112efe6381
SHA256 f2516f2ea49297ceb88651eec0815035cf3961543891571f62a013df3a3400b2
SHA512 841cfceda5f9cbbb2689e158918c3c44071928ef6c96f20651b8aeae1211c423a8ff6fd3f4d50b7e9ce01b1cc12bcb020cbe941430376c991521c93ca49afe6d

memory/1628-7-0x00007FFA986D0000-0x00007FFA98842000-memory.dmp

memory/1628-9-0x00007FFA986D0000-0x00007FFA98842000-memory.dmp

memory/1628-8-0x00007FFA986E8000-0x00007FFA986E9000-memory.dmp

memory/1628-10-0x00007FFA986D0000-0x00007FFA98842000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b8dd334f

MD5 83ffe19e38fcf5336b1206a9581f6a4c
SHA1 b35b681bce0ae6f0e1c8805d109d46ec50f33db4
SHA256 0d7317790870c71bdae464aa508a6b98ce9776398a71e6b8e844dabb4f5771bd
SHA512 13bc1100c8d49ae6b8d54a7ac632375ed127b476441f61aaaf1d40a28f57da875b7af5e6677b672f6193916c805c4008338a2b62872d5e1c3e7ee4ac3ef85fd9

memory/448-14-0x00007FFAA8050000-0x00007FFAA8245000-memory.dmp

memory/448-16-0x0000000075B00000-0x0000000075C7B000-memory.dmp

memory/448-17-0x0000000075B0E000-0x0000000075B10000-memory.dmp

memory/448-18-0x0000000075B00000-0x0000000075C7B000-memory.dmp

memory/448-23-0x0000000075B00000-0x0000000075C7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/3608-26-0x00000000009D0000-0x0000000000C19000-memory.dmp

memory/3608-27-0x00007FFAA8050000-0x00007FFAA8245000-memory.dmp

memory/3608-28-0x00000000009D0000-0x0000000000C19000-memory.dmp

memory/3608-41-0x000000001CD10000-0x000000001CF6F000-memory.dmp

memory/3608-82-0x00000000009D0000-0x0000000000C19000-memory.dmp

memory/448-83-0x0000000075B0E000-0x0000000075B10000-memory.dmp

memory/3608-84-0x00000000009D0000-0x0000000000C19000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~00299a408.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~00299a408.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 95.12.20.2.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~13bdaad06.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~13bdaad06.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 95.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~1e47f672e.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~1e47f672e.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win7-20240220-en

Max time kernel

120s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~3fde5681b.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~3fde5681b.js

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~5303f55e9.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~5303f55e9.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win7-20240611-en

Max time kernel

120s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~643d02cb5.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~643d02cb5.js

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win7-20240611-en

Max time kernel

121s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~114e7a4e2.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~114e7a4e2.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win10v2004-20240611-en

Max time kernel

132s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~114e7a4e2.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~114e7a4e2.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4084,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 18:33

Reported

2024-06-28 18:36

Platform

win7-20240508-en

Max time kernel

143s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2424 set thread context of 2360 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\VIDA.au3

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 2424 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 2424 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 2424 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 2424 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 2360 wrote to memory of 2920 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2360 wrote to memory of 2920 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2360 wrote to memory of 2920 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2360 wrote to memory of 2920 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2360 wrote to memory of 2920 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2360 wrote to memory of 2920 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2920 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2920 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2920 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2920 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2360 wrote to memory of 2920 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3

Processes

C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 148

Network

N/A

Files

memory/2424-0-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2424-1-0x0000000000400000-0x0000000000B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b01bbdac

MD5 e9036df928c31d7ba3f8ed63275a9dc2
SHA1 d1effabbdb38682cf73f6ddb5f0170112efe6381
SHA256 f2516f2ea49297ceb88651eec0815035cf3961543891571f62a013df3a3400b2
SHA512 841cfceda5f9cbbb2689e158918c3c44071928ef6c96f20651b8aeae1211c423a8ff6fd3f4d50b7e9ce01b1cc12bcb020cbe941430376c991521c93ca49afe6d

memory/2424-7-0x000007FEF6FC0000-0x000007FEF7118000-memory.dmp

memory/2424-8-0x000007FEF6FD8000-0x000007FEF6FD9000-memory.dmp

memory/2424-9-0x000007FEF6FC0000-0x000007FEF7118000-memory.dmp

memory/2424-10-0x000007FEF6FC0000-0x000007FEF7118000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b2e7369a

MD5 6aa1401c21b6ba7fb11a091198c9a347
SHA1 1749423e504f1d8e705a2237947fda9b45abc28a
SHA256 ff53e9f377be5d914fc86b16b6a239c7ae7126e31449aa02a063abe46253b085
SHA512 c89e0982d9878fdc59d4b1ce86fea0c9a585af4feea3ae2e69e8549c45b9fff145eeeed9d32684bdb4ff51d96f1ae3b17208cd23d081a6691f6bec1f74383e7e

memory/2360-14-0x0000000077860000-0x0000000077A09000-memory.dmp

memory/2360-16-0x0000000075070000-0x00000000751E4000-memory.dmp

memory/2360-18-0x0000000075070000-0x00000000751E4000-memory.dmp

memory/2360-17-0x000000007507E000-0x0000000075080000-memory.dmp

\Users\Admin\AppData\Local\Temp\VIDA.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2920-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2920-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2360-25-0x0000000075070000-0x00000000751E4000-memory.dmp

memory/2920-27-0x0000000000610000-0x0000000000859000-memory.dmp

memory/2920-34-0x0000000000610000-0x0000000000859000-memory.dmp

memory/2360-36-0x000000007507E000-0x0000000075080000-memory.dmp

memory/2920-37-0x0000000000610000-0x0000000000859000-memory.dmp