Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 00:29
Static task
static1
Behavioral task
behavioral1
Sample
dee45b3ad0c841d54049061df5775ec0.exe
Resource
win7-20240611-en
General
-
Target
dee45b3ad0c841d54049061df5775ec0.exe
-
Size
2.2MB
-
MD5
dee45b3ad0c841d54049061df5775ec0
-
SHA1
6fcbcf0d362d83ac346576ec8ba66b0cb3f1b4fd
-
SHA256
159e547225b9f035bf95279055d66810149fa93debea660766552008271e3e5c
-
SHA512
df3adca29d98c6bacbb9ecec498425f72a722aab2f187231689f5b7b959d8fa8b561ff0846ee0c8a495b204e6445305bbe56063672512f27369adba3e39978f2
-
SSDEEP
49152:qpjNvr9ySAOmw4FHHO+SASagXkJr4MDkUwm:qpjNp7p4FHH8n5A
Malware Config
Extracted
vidar
https://t.me/g067n
https://steamcommunity.com/profiles/76561199707802586
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0
Signatures
-
Detect Vidar Stealer 17 IoCs
Processes:
resource yara_rule behavioral1/memory/1656-1-0x0000000003270000-0x0000000003380000-memory.dmp family_vidar_v7 behavioral1/memory/912-15-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-24-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-19-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-17-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-23-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-55-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-137-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-170-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-181-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-189-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-229-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-362-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-379-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-380-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-397-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/912-430-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
kat15F1.tmppid process 912 kat15F1.tmp -
Loads dropped DLL 2 IoCs
Processes:
dee45b3ad0c841d54049061df5775ec0.exepid process 1656 dee45b3ad0c841d54049061df5775ec0.exe 1656 dee45b3ad0c841d54049061df5775ec0.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
dee45b3ad0c841d54049061df5775ec0.exedescription pid process target process PID 1656 set thread context of 912 1656 dee45b3ad0c841d54049061df5775ec0.exe kat15F1.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
kat15F1.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 kat15F1.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString kat15F1.tmp -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 872 timeout.exe -
Processes:
kat15F1.tmpdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 kat15F1.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a kat15F1.tmp -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
kat15F1.tmppid process 912 kat15F1.tmp 912 kat15F1.tmp 912 kat15F1.tmp 912 kat15F1.tmp 912 kat15F1.tmp 912 kat15F1.tmp -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
dee45b3ad0c841d54049061df5775ec0.exekat15F1.tmpcmd.exedescription pid process target process PID 1656 wrote to memory of 912 1656 dee45b3ad0c841d54049061df5775ec0.exe kat15F1.tmp PID 1656 wrote to memory of 912 1656 dee45b3ad0c841d54049061df5775ec0.exe kat15F1.tmp PID 1656 wrote to memory of 912 1656 dee45b3ad0c841d54049061df5775ec0.exe kat15F1.tmp PID 1656 wrote to memory of 912 1656 dee45b3ad0c841d54049061df5775ec0.exe kat15F1.tmp PID 1656 wrote to memory of 912 1656 dee45b3ad0c841d54049061df5775ec0.exe kat15F1.tmp PID 1656 wrote to memory of 912 1656 dee45b3ad0c841d54049061df5775ec0.exe kat15F1.tmp PID 1656 wrote to memory of 912 1656 dee45b3ad0c841d54049061df5775ec0.exe kat15F1.tmp PID 1656 wrote to memory of 912 1656 dee45b3ad0c841d54049061df5775ec0.exe kat15F1.tmp PID 1656 wrote to memory of 912 1656 dee45b3ad0c841d54049061df5775ec0.exe kat15F1.tmp PID 912 wrote to memory of 2872 912 kat15F1.tmp cmd.exe PID 912 wrote to memory of 2872 912 kat15F1.tmp cmd.exe PID 912 wrote to memory of 2872 912 kat15F1.tmp cmd.exe PID 912 wrote to memory of 2872 912 kat15F1.tmp cmd.exe PID 2872 wrote to memory of 872 2872 cmd.exe timeout.exe PID 2872 wrote to memory of 872 2872 cmd.exe timeout.exe PID 2872 wrote to memory of 872 2872 cmd.exe timeout.exe PID 2872 wrote to memory of 872 2872 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe"C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\kat15F1.tmpC:\Users\Admin\AppData\Local\Temp\kat15F1.tmp2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp" & rd /s /q "C:\ProgramData\EHIDAKECFIEB" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- Delays execution with timeout.exe
PID:872
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5694d8cad1ec9ccb15da95727ce1fd751
SHA19a3eaaeb1bf65e514fdb35d9456886d0e292be50
SHA2565ce10526c822d58833bec30bb8396afaa63104a896806eb1e806692b1fbddc03
SHA51263f8eda3ec4fa263787cb52ebaa3e28aa1fcc3b0f328e42017ace9f4c732dc3da98956b93ed890b304ada94ffa77d42521ac83eb936a0253046ceb90c150fa71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5653df58168c88e0838b3d262c9018e29
SHA1125378d4146f1b88c53c8b8c4d58a300e577a59f
SHA2563bf415cf652a0ab96b5fcff11b2b00b761723f7842fae09eea47b03ddc564ead
SHA51203ab3cc19c888a453e0d1b6fee9d3670aadb7f7eff6a8e2e098fb93f20bb6a260ca1a61a3afe65e5f285d757ea240c1be4cbfdcba2378571cfe2afd141f670f9
-
Filesize
67KB
MD52d3dcf90f6c99f47e7593ea250c9e749
SHA151be82be4a272669983313565b4940d4b1385237
SHA2568714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA5129c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5
-
Filesize
160KB
MD57186ad693b8ad9444401bd9bcd2217c2
SHA15c28ca10a650f6026b0df4737078fa4197f3bac1
SHA2569a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b
-
Filesize
861KB
MD566064dbdb70a5eb15ebf3bf65aba254b
SHA10284fd320f99f62aca800fb1251eff4c31ec4ed7
SHA2566a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795
SHA512b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f