Analysis Overview
SHA256
d688113f745fbdea695db3f1c441431617fd6e07dba111d61c24126c0b0314a4
Threat Level: Known bad
The file Setup.zip was found to be: Known bad.
Malicious Activity Summary
Stealc
Detect Vidar Stealer
Vidar
Loads dropped DLL
Reads user/profile data of local email clients
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: MapViewOfSection
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 02:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 02:51
Reported
2024-06-29 02:55
Platform
win7-20240508-en
Max time kernel
143s
Max time network
121s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 876 set thread context of 300 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\netsh.exe |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\coml.au3 |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 148
Network
Files
memory/876-0-0x0000000140000000-0x00000001407DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b47a9051
| MD5 | 957edcb00ce0b522499f6c799ea11053 |
| SHA1 | b1c91d93701d206820e45118e0df50d34790d27d |
| SHA256 | e4456eea3e2fca53bc2a06fd247eba74bf668c39069d5c821d082ef7dfa03f5d |
| SHA512 | 167cb1c01f28bc40f85d0d8f895346d147a286811550142ebdf659cc4ba92f015d4def386d58adf4c48b1946ee31ddd8dcbef50ba09533889e9ad161c9867eb6 |
memory/876-6-0x000007FEF60E0000-0x000007FEF6238000-memory.dmp
memory/876-7-0x000007FEF60F8000-0x000007FEF60F9000-memory.dmp
memory/876-8-0x000007FEF60E0000-0x000007FEF6238000-memory.dmp
memory/876-9-0x000007FEF60E0000-0x000007FEF6238000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b8acc765
| MD5 | 70d544ea90499a5404a8298a98f5a355 |
| SHA1 | be8ce8d3791656ed8833e9884b1584231bfee8e6 |
| SHA256 | 9a03bcf5e6c9e1caf20f8773e9438acc627e797b23db8ef6d27704d4b975ac34 |
| SHA512 | 0715a68babaf4e18f3b2522b657c728c2a03af2ade1cbf1479d477914794c64ce765139fd5786d821c3e7b1a302d7deb230ea94a2dfa59cdd8742a7abfb0e331 |
memory/300-12-0x0000000077210000-0x00000000773B9000-memory.dmp
memory/300-15-0x00000000734EE000-0x00000000734F0000-memory.dmp
memory/300-14-0x00000000734E0000-0x0000000073654000-memory.dmp
\Users\Admin\AppData\Local\Temp\coml.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/300-18-0x00000000734E0000-0x0000000073654000-memory.dmp
memory/2644-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2644-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/300-23-0x00000000734E0000-0x0000000073654000-memory.dmp
memory/2644-25-0x0000000000670000-0x0000000000DBB000-memory.dmp
memory/2644-32-0x0000000000670000-0x0000000000DBB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 02:51
Reported
2024-06-29 02:55
Platform
win10-20240404-en
Max time kernel
131s
Max time network
135s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5064 set thread context of 5028 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\netsh.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AAKJEGCFBGDH" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.115.119.168.in-addr.arpa | udp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| DE | 168.119.115.138:9000 | tcp | |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/5064-0-0x00007FF66C310000-0x00007FF66CAEB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\feb27f54
| MD5 | 957edcb00ce0b522499f6c799ea11053 |
| SHA1 | b1c91d93701d206820e45118e0df50d34790d27d |
| SHA256 | e4456eea3e2fca53bc2a06fd247eba74bf668c39069d5c821d082ef7dfa03f5d |
| SHA512 | 167cb1c01f28bc40f85d0d8f895346d147a286811550142ebdf659cc4ba92f015d4def386d58adf4c48b1946ee31ddd8dcbef50ba09533889e9ad161c9867eb6 |
memory/5064-6-0x00007FFA313B0000-0x00007FFA3151A000-memory.dmp
memory/5064-7-0x00007FFA313C8000-0x00007FFA313C9000-memory.dmp
memory/5064-8-0x00007FFA313B0000-0x00007FFA3151A000-memory.dmp
memory/5064-9-0x00007FFA313B0000-0x00007FFA3151A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2be006b
| MD5 | 79d6cd0a6fa70df57844f76a30cfe8cf |
| SHA1 | d44d41bc8314a68800714af798080bbd6971c696 |
| SHA256 | 3ee5c71955bd714b73ca800d3b5b840427e5d8bcd0e224fe202663c17d7413a7 |
| SHA512 | 3209fc4ba40e585960ddbc5e6c01130a2a1ccee5202847ebca92de93d987a4e8159ab3fbbf50f3fb5067ad2071898cf521efafc6d12f03eb4562c169679c1908 |
memory/5028-12-0x00007FFA3E6A0000-0x00007FFA3E87B000-memory.dmp
memory/5028-15-0x000000007317E000-0x0000000073180000-memory.dmp
memory/5028-16-0x0000000073171000-0x000000007317F000-memory.dmp
memory/5028-19-0x0000000073171000-0x000000007317F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\coml.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/1016-21-0x00007FFA3E6A0000-0x00007FFA3E87B000-memory.dmp
memory/1016-27-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\ProgramData\AAKJEGCFBGDH\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\AAKJEGCFBGDH\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/1016-70-0x0000000000EF0000-0x000000000163B000-memory.dmp
memory/1016-74-0x0000000000EF0000-0x000000000163B000-memory.dmp
memory/1016-83-0x0000000000EF0000-0x000000000163B000-memory.dmp
C:\ProgramData\AAKJEGCFBGDH\VCRUNT~1.DLL
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\ProgramData\AAKJEGCFBGDH\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
C:\ProgramData\AAKJEGCFBGDH\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-29 02:51
Reported
2024-06-29 02:55
Platform
win10v2004-20240611-en
Max time kernel
133s
Max time network
152s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1904 set thread context of 2160 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\netsh.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3060,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4064 /prefetch:8
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3612,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=3416 /prefetch:3
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CBGCBKFBGIII" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.115.119.168.in-addr.arpa | udp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| DE | 168.119.115.138:9000 | 168.119.115.138 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/1904-0-0x00007FF6384F0000-0x00007FF638CCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b5df97f2
| MD5 | 957edcb00ce0b522499f6c799ea11053 |
| SHA1 | b1c91d93701d206820e45118e0df50d34790d27d |
| SHA256 | e4456eea3e2fca53bc2a06fd247eba74bf668c39069d5c821d082ef7dfa03f5d |
| SHA512 | 167cb1c01f28bc40f85d0d8f895346d147a286811550142ebdf659cc4ba92f015d4def386d58adf4c48b1946ee31ddd8dcbef50ba09533889e9ad161c9867eb6 |
memory/1904-6-0x00007FFCB1700000-0x00007FFCB1872000-memory.dmp
memory/1904-7-0x00007FFCB1718000-0x00007FFCB1719000-memory.dmp
memory/1904-8-0x00007FFCB1700000-0x00007FFCB1872000-memory.dmp
memory/1904-9-0x00007FFCB1700000-0x00007FFCB1872000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bb7083d5
| MD5 | 1d88c4434779a424cdc3383613851f80 |
| SHA1 | cc0b88adab15e067d943b4551f8f2af79f205ac3 |
| SHA256 | 236206c5cf0e197614ad6663422da4d07a1720c3de1309b03c74367277995a00 |
| SHA512 | 01dd009b6e69ad5a9e376c18148a6a9f078c45b8dcad1c28951a71445d543704591c161f4722856c3673d6fa2955ca088dd090a9cdc5c6f57fac69f30407bd7e |
memory/2160-12-0x00007FFCCF470000-0x00007FFCCF665000-memory.dmp
memory/2160-15-0x0000000074271000-0x000000007427F000-memory.dmp
memory/2160-14-0x000000007427E000-0x0000000074280000-memory.dmp
memory/2160-19-0x0000000074271000-0x000000007427F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\coml.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/3000-21-0x0000000001200000-0x000000000194B000-memory.dmp
memory/3000-23-0x00007FFCCF470000-0x00007FFCCF665000-memory.dmp
memory/3000-26-0x0000000001200000-0x000000000194B000-memory.dmp
memory/3000-27-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\ProgramData\CBGCBKFBGIII\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\CBGCBKFBGIII\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/3000-97-0x0000000001200000-0x000000000194B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
memory/3000-103-0x0000000001200000-0x000000000194B000-memory.dmp
memory/3000-118-0x0000000001200000-0x000000000194B000-memory.dmp
memory/3000-119-0x0000000001200000-0x000000000194B000-memory.dmp
C:\ProgramData\CBGCBKFBGIII\VCRUNT~1.DLL
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\ProgramData\CBGCBKFBGIII\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
C:\ProgramData\CBGCBKFBGIII\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-29 02:51
Reported
2024-06-29 02:53
Platform
debian9-mipsbe-20240418-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/Setup.exe
[/tmp/Setup.exe]
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-29 02:51
Reported
2024-06-29 02:53
Platform
debian9-mipsel-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/Setup.exe
[/tmp/Setup.exe]
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-29 02:51
Reported
2024-06-29 02:53
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
3s
Command Line
Signatures
Processes
/tmp/Setup.exe
[/tmp/Setup.exe]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-29 02:51
Reported
2024-06-29 02:53
Platform
debian9-armhf-20240418-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/Setup.exe
[/tmp/Setup.exe]
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-29 02:51
Reported
2024-06-29 02:55
Platform
win11-20240508-en
Max time kernel
144s
Max time network
156s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Reads data files stored by FTP clients
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1692 set thread context of 1364 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\netsh.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\coml.au3" & rd /s /q "C:\ProgramData\KFCGDBAKKKFB" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
Files
memory/1692-0-0x00007FF7B0F00000-0x00007FF7B16DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c18cdc02
| MD5 | 957edcb00ce0b522499f6c799ea11053 |
| SHA1 | b1c91d93701d206820e45118e0df50d34790d27d |
| SHA256 | e4456eea3e2fca53bc2a06fd247eba74bf668c39069d5c821d082ef7dfa03f5d |
| SHA512 | 167cb1c01f28bc40f85d0d8f895346d147a286811550142ebdf659cc4ba92f015d4def386d58adf4c48b1946ee31ddd8dcbef50ba09533889e9ad161c9867eb6 |
memory/1692-6-0x00007FFDA9A60000-0x00007FFDA9BDA000-memory.dmp
memory/1692-7-0x00007FFDA9A78000-0x00007FFDA9A79000-memory.dmp
memory/1692-8-0x00007FFDA9A60000-0x00007FFDA9BDA000-memory.dmp
memory/1692-9-0x00007FFDA9A60000-0x00007FFDA9BDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c5b29c33
| MD5 | 9722acf580727032fc0ee7e15405cb81 |
| SHA1 | e1c22a06014956a1c4318e30e1e2f06204a2df0c |
| SHA256 | d21a368256d953ef7bb8e2365bc0609af23b511ef4f135e83a79c7515a1fc3b0 |
| SHA512 | ef850b27d74da5598bffc4c989ee9ff14b4df680c960acb9505eaba81aee124c5be067b67626ba92b96b0ddba202d7498d7305e62e409d33e66a326b91f3728e |
memory/1364-12-0x00007FFDB8E20000-0x00007FFDB9029000-memory.dmp
memory/1364-16-0x0000000073AA1000-0x0000000073AAF000-memory.dmp
memory/1364-15-0x0000000073AAE000-0x0000000073AB0000-memory.dmp
memory/1364-19-0x0000000073AA1000-0x0000000073AAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\coml.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2260-21-0x0000000001600000-0x0000000001D4B000-memory.dmp
memory/2260-23-0x00007FFDB8E20000-0x00007FFDB9029000-memory.dmp
memory/2260-24-0x0000000001600000-0x0000000001D4B000-memory.dmp
memory/2260-25-0x0000000001600000-0x0000000001D4B000-memory.dmp
memory/2260-26-0x0000000001600000-0x0000000001D4B000-memory.dmp
memory/2260-27-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2260-39-0x0000000001600000-0x0000000001D4B000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-29 02:51
Reported
2024-06-29 02:53
Platform
android-x86-arm-20240624-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-29 02:51
Reported
2024-06-29 02:53
Platform
android-x64-20240624-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-29 02:51
Reported
2024-06-29 02:53
Platform
android-x64-arm64-20240624-en
Max time network
9s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.213.10:443 | tcp | |
| GB | 216.58.213.10:443 | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-29 02:51
Reported
2024-06-29 02:55
Platform
macos-20240611-en
Max time kernel
132s
Max time network
148s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/Setup.exe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/Setup.exe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/Setup.exe]
/bin/zsh
[/bin/zsh -c /Users/run/Setup.exe]
/Users/run/Setup.exe
[/Users/run/Setup.exe]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0B4C966A/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.systemsoundserverd]
/usr/sbin/systemsoundserverd
[/usr/sbin/systemsoundserverd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.AudioComponentRegistrar]
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| US | 151.101.3.6:443 | tcp | |
| US | 151.101.195.6:443 | tcp | |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| US | 23.219.244.63:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| GB | 2.21.189.171:443 | help.apple.com | tcp |
| GB | 2.21.189.171:443 | help.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |