Overview
overview
10Static
static
1!!fUlLSetu...up.exe
windows7-x64
10!!fUlLSetu...up.exe
windows10-2004-x64
10!!fUlLSetu...408.js
windows7-x64
3!!fUlLSetu...408.js
windows10-2004-x64
3!!fUlLSetu...390.js
windows7-x64
3!!fUlLSetu...390.js
windows10-2004-x64
3!!fUlLSetu...3a7.js
windows7-x64
3!!fUlLSetu...3a7.js
windows10-2004-x64
3!!fUlLSetu...4e2.js
windows7-x64
3!!fUlLSetu...4e2.js
windows10-2004-x64
3!!fUlLSetu...003.js
windows7-x64
3!!fUlLSetu...003.js
windows10-2004-x64
3!!fUlLSetu...d06.js
windows7-x64
3!!fUlLSetu...d06.js
windows10-2004-x64
3!!fUlLSetu...72e.js
windows7-x64
3!!fUlLSetu...72e.js
windows10-2004-x64
3!!fUlLSetu...af7.js
windows7-x64
3!!fUlLSetu...af7.js
windows10-2004-x64
3!!fUlLSetu...3f1.js
windows7-x64
3!!fUlLSetu...3f1.js
windows10-2004-x64
3!!fUlLSetu...81b.js
windows7-x64
3!!fUlLSetu...81b.js
windows10-2004-x64
3!!fUlLSetu...1fd.js
windows7-x64
3!!fUlLSetu...1fd.js
windows10-2004-x64
3!!fUlLSetu...106.js
windows7-x64
3!!fUlLSetu...106.js
windows10-2004-x64
3!!fUlLSetu...5e9.js
windows7-x64
3!!fUlLSetu...5e9.js
windows10-2004-x64
3!!fUlLSetu...faa.js
windows7-x64
3!!fUlLSetu...faa.js
windows10-2004-x64
3!!fUlLSetu...cb5.js
windows7-x64
3!!fUlLSetu...cb5.js
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 01:51
Static task
static1
Behavioral task
behavioral1
Sample
!!fUlLSetup_3355_P@ssKeys!!/Setup.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
!!fUlLSetup_3355_P@ssKeys!!/Setup.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~00299a408.js
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~00299a408.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~05c32d390.js
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~05c32d390.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~074e593a7.js
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~074e593a7.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~114e7a4e2.js
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~114e7a4e2.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~11d764003.js
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~11d764003.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~13bdaad06.js
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~13bdaad06.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~1e47f672e.js
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~1e47f672e.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~2dcc5aaf7.js
Resource
win7-20240611-en
Behavioral task
behavioral18
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~2dcc5aaf7.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~32b5733f1.js
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~32b5733f1.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral21
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~3fde5681b.js
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~3fde5681b.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~4611591fd.js
Resource
win7-20240508-en
Behavioral task
behavioral24
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~4611591fd.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~4bfd2d106.js
Resource
win7-20240508-en
Behavioral task
behavioral26
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~4bfd2d106.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral27
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~5303f55e9.js
Resource
win7-20240611-en
Behavioral task
behavioral28
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~5303f55e9.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~57063afaa.js
Resource
win7-20240611-en
Behavioral task
behavioral30
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~57063afaa.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral31
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~643d02cb5.js
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
!!fUlLSetup_3355_P@ssKeys!!/autocompletion/libraries/libraries~643d02cb5.js
Resource
win10v2004-20240508-en
General
-
Target
!!fUlLSetup_3355_P@ssKeys!!/Setup.exe
-
Size
656.8MB
-
MD5
a16936abeb9abc4945d6fdd76ecec729
-
SHA1
a74de976ce3af1db488626afe9796f7f13add504
-
SHA256
b2300fcaa158d08f4980f4cfe7373848256bd4918384a18e3c32b464add812a7
-
SHA512
d03704bef171f7815765fb527fa7c1103fdfbdfeaad22eb09b0af893ff1adec9455e7c6629946846be1924e12ac5213f7f467abf0a7276522bccfac3d25f8f44
-
SSDEEP
196608:doeohPRS9UUoFG2z4wThcbwNq1Af8YOdN6ZLAM4/tS9yS:doeoRao/
Malware Config
Extracted
vidar
https://t.me/g067n
https://steamcommunity.com/profiles/76561199707802586
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0
Signatures
-
Detect Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2660-27-0x00000000005F0000-0x0000000000839000-memory.dmp family_vidar_v7 behavioral1/memory/2660-34-0x00000000005F0000-0x0000000000839000-memory.dmp family_vidar_v7 behavioral1/memory/2660-37-0x00000000005F0000-0x0000000000839000-memory.dmp family_vidar_v7 -
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2660-27-0x00000000005F0000-0x0000000000839000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2660-34-0x00000000005F0000-0x0000000000839000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Loads dropped DLL 7 IoCs
Processes:
more.comVIDA.au3WerFault.exepid process 2484 more.com 2660 VIDA.au3 2536 WerFault.exe 2536 WerFault.exe 2536 WerFault.exe 2536 WerFault.exe 2536 WerFault.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid process target process PID 1688 set thread context of 2484 1688 Setup.exe more.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2536 2660 WerFault.exe VIDA.au3 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Setup.exemore.compid process 1688 Setup.exe 1688 Setup.exe 2484 more.com 2484 more.com -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Setup.exemore.compid process 1688 Setup.exe 2484 more.com -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Setup.exemore.comVIDA.au3description pid process target process PID 1688 wrote to memory of 2484 1688 Setup.exe more.com PID 1688 wrote to memory of 2484 1688 Setup.exe more.com PID 1688 wrote to memory of 2484 1688 Setup.exe more.com PID 1688 wrote to memory of 2484 1688 Setup.exe more.com PID 1688 wrote to memory of 2484 1688 Setup.exe more.com PID 2484 wrote to memory of 2660 2484 more.com VIDA.au3 PID 2484 wrote to memory of 2660 2484 more.com VIDA.au3 PID 2484 wrote to memory of 2660 2484 more.com VIDA.au3 PID 2484 wrote to memory of 2660 2484 more.com VIDA.au3 PID 2484 wrote to memory of 2660 2484 more.com VIDA.au3 PID 2484 wrote to memory of 2660 2484 more.com VIDA.au3 PID 2660 wrote to memory of 2536 2660 VIDA.au3 WerFault.exe PID 2660 wrote to memory of 2536 2660 VIDA.au3 WerFault.exe PID 2660 wrote to memory of 2536 2660 VIDA.au3 WerFault.exe PID 2660 wrote to memory of 2536 2660 VIDA.au3 WerFault.exe PID 2484 wrote to memory of 2660 2484 more.com VIDA.au3
Processes
-
C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\VIDA.au3C:\Users\Admin\AppData\Local\Temp\VIDA.au33⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1484⤵
- Loads dropped DLL
- Program crash
PID:2536
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5e9036df928c31d7ba3f8ed63275a9dc2
SHA1d1effabbdb38682cf73f6ddb5f0170112efe6381
SHA256f2516f2ea49297ceb88651eec0815035cf3961543891571f62a013df3a3400b2
SHA512841cfceda5f9cbbb2689e158918c3c44071928ef6c96f20651b8aeae1211c423a8ff6fd3f4d50b7e9ce01b1cc12bcb020cbe941430376c991521c93ca49afe6d
-
Filesize
1.7MB
MD5259a510140a5ca1fb7d8c620025947c8
SHA177c23f8083a6872d16f9df3d25d0a7f00d3ab920
SHA256fa920ff6ca68fd1db5d420266474232ec47af7ba185dcc99bc2656f4d88e9963
SHA512ac3d5efec81919d1dd16ad76de24624c8ef8062d04a193336b6e7ed41385a691052f75709b0b0149b06f2310fc8146a6676077b1092ae2bfe6107b40d8692c53
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c