Analysis

  • max time kernel
    92s
  • max time network
    96s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-06-2024 09:28

General

  • Target

    Setup.exe

  • Size

    675.4MB

  • MD5

    14cf56e3094e94a6bcd9f1b18c2e9726

  • SHA1

    b4d6a5f8f6cc0429c02d5b9d0be1e29172010d3c

  • SHA256

    e42c58c29931bee78061436503afbbef40e74c43da2c6291e0e09213add1c5e6

  • SHA512

    122f873501c376615139f7387c33cc533b83af4555f92fe0c09fcca837fdc1f3af2a3659f44c037748b06c613d014160304cf487eb68c154086f0d3749292e65

  • SSDEEP

    196608:L0bq45mmYPrOLaxhyEjILWjDLGfCYZmJu9JgU04IcW7fIxOntw93/sDF1kIQyXjX:obq4o3jOLaXILWfSbg

Malware Config

Extracted

Family

vidar

C2

https://t.me/g067n

https://steamcommunity.com/profiles/76561199707802586

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0

Signatures

  • Detect Vidar Stealer 7 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Users\Admin\AppData\Local\Temp\nodealt\JRWeb.exe
      C:\Users\Admin\AppData\Local\Temp\nodealt\JRWeb.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5092
      • C:\Users\Admin\AppData\Roaming\nodealt\JRWeb.exe
        C:\Users\Admin\AppData\Roaming\nodealt\JRWeb.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3396
        • C:\Windows\SysWOW64\more.com
          C:\Windows\SysWOW64\more.com
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Users\Admin\AppData\Local\Temp\VIDA.au3
            C:\Users\Admin\AppData\Local\Temp\VIDA.au3
            5⤵
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\KEGDBFIJKEBG\ECAEGH

    Filesize

    512KB

    MD5

    59071590099d21dd439896592338bf95

    SHA1

    6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c

    SHA256

    07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541

    SHA512

    eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

  • C:\Users\Admin\AppData\Local\Temp\9ffe5600

    Filesize

    2.7MB

    MD5

    269b7fe84066adeabdc1ccf7b8d0641a

    SHA1

    1148ecb7e08a4ad4f334d524b348c2dea033120a

    SHA256

    7c654bff9135e6b86c1aa7c40e29c704dea1945c96a559169bfc3300191b180d

    SHA512

    a1e1a7885dde35f0aa7f003422ececa24bc8f8013252b527d1dc3dcb6ffd83cc29c7fd112942a4813e46ba2e5f276235569f282c74a9fe33aed5c001ab93eea3

  • C:\Users\Admin\AppData\Local\Temp\VIDA.au3

    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • C:\Users\Admin\AppData\Local\Temp\a7074fd7

    Filesize

    1.7MB

    MD5

    47eae76f935ca7e5e24b84c60b694570

    SHA1

    e936825d92661459f6486b770d495f368c61f545

    SHA256

    f32f1a3810552391c1ea80d4c6f90c01ab0617a9dc71a57dc20b062f84b61080

    SHA512

    a383b4df0a1be7bc2adf122845cf65d9315e239beb479a0378285bee013aebc138b8dc7068ebecbc2097b14a0b21dae06621ae4e7db8a877af96b924c4c3014b

  • C:\Users\Admin\AppData\Local\Temp\nodealt\JRWeb.exe

    Filesize

    1.1MB

    MD5

    c047ae13fc1e25bc494b17ca10aa179e

    SHA1

    e293c7815c0eb8fbc44d60a3e9b27bd91b44b522

    SHA256

    6c30c8a2e827f48fcfc934dd34fb2cb10acb8747fd11faae085d8ad352c01fbf

    SHA512

    0cfb96d23b043bcb954cc307f85e5bbc349c0c8a0c6eaa335ea9a8fa19ce65b047f30ed0049562d40880400d4f70e3bb28975d6970f3ae4af6da1ba06e36d48c

  • C:\Users\Admin\AppData\Local\Temp\nodealt\WebView2Loader.dll

    Filesize

    157KB

    MD5

    4a99cb402c0d843b61a83015e0d3d731

    SHA1

    ac59e7722c85fef8050a715e6f4c3a3e5085d98e

    SHA256

    4ae3f7437a6991db64eac8e5d2fa02e9edce56ad98aaa273006963fed39548a8

    SHA512

    1eceb6ff5f53a98e61f21c90de9242e46c9607817eeb7ce77f500a5b225e123ac52b357c7729b334063cd8c8b37c2fbe38e76c1a5ee77244b176aa3e08d7eb18

  • C:\Users\Admin\AppData\Local\Temp\nodealt\butadiene.wav

    Filesize

    1.2MB

    MD5

    4f43217ff7e7fcb652b20534150b9f0d

    SHA1

    035e35018b9c88309c8fdd7edde4d3add42606b8

    SHA256

    223b47f477447d6584a7d27a10e92694a5a9c4c3823e126a2753a1e700128017

    SHA512

    e06b90045ad605de2fae14a65959e684d4a64a85dec8eedf26b179ca16d3d17601afa2766a4cbde4f2061f70ee99f4d9746d7edc1a0e93648abe366616560479

  • C:\Users\Admin\AppData\Local\Temp\nodealt\perfidy.svg

    Filesize

    65KB

    MD5

    d7046da347cd1c24f9af82a326413734

    SHA1

    a8ecd6cd212e0b866ef9611bf07b6826262da0c4

    SHA256

    580209f46352f01b832c81a836e72d05819d33502f51bdda6212eefe0b7675d6

    SHA512

    cd0327dce2c68ee800e204972a88afc30b59e93847a4837fb72ddb2ee0de73e40b8e4450d7f800d50adf239ee0bdf6a1818e21c05677d1893906fc898f59c9de

  • memory/992-38-0x00007FF860750000-0x00007FF8608CA000-memory.dmp

    Filesize

    1.5MB

  • memory/992-8-0x00007FF860750000-0x00007FF8608CA000-memory.dmp

    Filesize

    1.5MB

  • memory/992-16-0x00007FF860750000-0x00007FF8608CA000-memory.dmp

    Filesize

    1.5MB

  • memory/992-6-0x00007FF860750000-0x00007FF8608CA000-memory.dmp

    Filesize

    1.5MB

  • memory/992-11-0x00007FF860768000-0x00007FF860769000-memory.dmp

    Filesize

    4KB

  • memory/992-18-0x00007FF860750000-0x00007FF8608CA000-memory.dmp

    Filesize

    1.5MB

  • memory/992-0-0x00007FF781090000-0x00007FF781F01000-memory.dmp

    Filesize

    14.4MB

  • memory/2240-108-0x0000000000D00000-0x0000000000F49000-memory.dmp

    Filesize

    2.3MB

  • memory/2240-109-0x0000000000D00000-0x0000000000F49000-memory.dmp

    Filesize

    2.3MB

  • memory/2240-145-0x0000000000D00000-0x0000000000F49000-memory.dmp

    Filesize

    2.3MB

  • memory/2240-144-0x0000000000D00000-0x0000000000F49000-memory.dmp

    Filesize

    2.3MB

  • memory/2240-110-0x0000000000D00000-0x0000000000F49000-memory.dmp

    Filesize

    2.3MB

  • memory/2240-50-0x0000000000D00000-0x0000000000F49000-memory.dmp

    Filesize

    2.3MB

  • memory/2240-53-0x0000000000D00000-0x0000000000F49000-memory.dmp

    Filesize

    2.3MB

  • memory/2240-69-0x00000000212E0000-0x000000002153F000-memory.dmp

    Filesize

    2.4MB

  • memory/2240-52-0x00007FF86FD80000-0x00007FF86FF89000-memory.dmp

    Filesize

    2.0MB

  • memory/2460-44-0x0000000075290000-0x000000007540D000-memory.dmp

    Filesize

    1.5MB

  • memory/2460-42-0x00007FF86FD80000-0x00007FF86FF89000-memory.dmp

    Filesize

    2.0MB

  • memory/3396-39-0x00007FF860750000-0x00007FF8608CA000-memory.dmp

    Filesize

    1.5MB

  • memory/3396-37-0x00007FF860750000-0x00007FF8608CA000-memory.dmp

    Filesize

    1.5MB

  • memory/3396-36-0x00007FF860750000-0x00007FF8608CA000-memory.dmp

    Filesize

    1.5MB

  • memory/5092-24-0x00007FF860750000-0x00007FF8608CA000-memory.dmp

    Filesize

    1.5MB