Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 09:28
Static task
static1
General
-
Target
Setup.exe
-
Size
675.4MB
-
MD5
14cf56e3094e94a6bcd9f1b18c2e9726
-
SHA1
b4d6a5f8f6cc0429c02d5b9d0be1e29172010d3c
-
SHA256
e42c58c29931bee78061436503afbbef40e74c43da2c6291e0e09213add1c5e6
-
SHA512
122f873501c376615139f7387c33cc533b83af4555f92fe0c09fcca837fdc1f3af2a3659f44c037748b06c613d014160304cf487eb68c154086f0d3749292e65
-
SSDEEP
196608:L0bq45mmYPrOLaxhyEjILWjDLGfCYZmJu9JgU04IcW7fIxOntw93/sDF1kIQyXjX:obq4o3jOLaXILWfSbg
Malware Config
Extracted
vidar
https://t.me/g067n
https://steamcommunity.com/profiles/76561199707802586
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0
Signatures
-
Detect Vidar Stealer 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2240-50-0x0000000000D00000-0x0000000000F49000-memory.dmp family_vidar_v7 behavioral1/memory/2240-53-0x0000000000D00000-0x0000000000F49000-memory.dmp family_vidar_v7 behavioral1/memory/2240-108-0x0000000000D00000-0x0000000000F49000-memory.dmp family_vidar_v7 behavioral1/memory/2240-109-0x0000000000D00000-0x0000000000F49000-memory.dmp family_vidar_v7 behavioral1/memory/2240-110-0x0000000000D00000-0x0000000000F49000-memory.dmp family_vidar_v7 behavioral1/memory/2240-144-0x0000000000D00000-0x0000000000F49000-memory.dmp family_vidar_v7 behavioral1/memory/2240-145-0x0000000000D00000-0x0000000000F49000-memory.dmp family_vidar_v7 -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
JRWeb.exeJRWeb.exepid process 5092 JRWeb.exe 3396 JRWeb.exe -
Loads dropped DLL 3 IoCs
Processes:
JRWeb.exeJRWeb.exeVIDA.au3pid process 5092 JRWeb.exe 3396 JRWeb.exe 2240 VIDA.au3 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Setup.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
JRWeb.exedescription pid process target process PID 3396 set thread context of 2460 3396 JRWeb.exe more.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
VIDA.au3description ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 VIDA.au3 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString VIDA.au3 -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
Setup.exeJRWeb.exeJRWeb.exemore.comVIDA.au3pid process 992 Setup.exe 992 Setup.exe 5092 JRWeb.exe 3396 JRWeb.exe 3396 JRWeb.exe 2460 more.com 2460 more.com 2240 VIDA.au3 2240 VIDA.au3 2240 VIDA.au3 2240 VIDA.au3 2240 VIDA.au3 2240 VIDA.au3 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
JRWeb.exemore.compid process 3396 JRWeb.exe 2460 more.com -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
VIDA.au3pid process 2240 VIDA.au3 2240 VIDA.au3 -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Setup.exeJRWeb.exeJRWeb.exemore.comdescription pid process target process PID 992 wrote to memory of 5092 992 Setup.exe JRWeb.exe PID 992 wrote to memory of 5092 992 Setup.exe JRWeb.exe PID 5092 wrote to memory of 3396 5092 JRWeb.exe JRWeb.exe PID 5092 wrote to memory of 3396 5092 JRWeb.exe JRWeb.exe PID 3396 wrote to memory of 2460 3396 JRWeb.exe more.com PID 3396 wrote to memory of 2460 3396 JRWeb.exe more.com PID 3396 wrote to memory of 2460 3396 JRWeb.exe more.com PID 3396 wrote to memory of 2460 3396 JRWeb.exe more.com PID 2460 wrote to memory of 2240 2460 more.com VIDA.au3 PID 2460 wrote to memory of 2240 2460 more.com VIDA.au3 PID 2460 wrote to memory of 2240 2460 more.com VIDA.au3 PID 2460 wrote to memory of 2240 2460 more.com VIDA.au3 PID 2460 wrote to memory of 2240 2460 more.com VIDA.au3 PID 2460 wrote to memory of 2240 2460 more.com VIDA.au3
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Local\Temp\nodealt\JRWeb.exeC:\Users\Admin\AppData\Local\Temp\nodealt\JRWeb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Roaming\nodealt\JRWeb.exeC:\Users\Admin\AppData\Roaming\nodealt\JRWeb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\VIDA.au3C:\Users\Admin\AppData\Local\Temp\VIDA.au35⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2240
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD559071590099d21dd439896592338bf95
SHA16a521e1d2a632c26e53b83d2cc4b0edecfc1e68c
SHA25607854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
SHA512eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668
-
Filesize
2.7MB
MD5269b7fe84066adeabdc1ccf7b8d0641a
SHA11148ecb7e08a4ad4f334d524b348c2dea033120a
SHA2567c654bff9135e6b86c1aa7c40e29c704dea1945c96a559169bfc3300191b180d
SHA512a1e1a7885dde35f0aa7f003422ececa24bc8f8013252b527d1dc3dcb6ffd83cc29c7fd112942a4813e46ba2e5f276235569f282c74a9fe33aed5c001ab93eea3
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
1.7MB
MD547eae76f935ca7e5e24b84c60b694570
SHA1e936825d92661459f6486b770d495f368c61f545
SHA256f32f1a3810552391c1ea80d4c6f90c01ab0617a9dc71a57dc20b062f84b61080
SHA512a383b4df0a1be7bc2adf122845cf65d9315e239beb479a0378285bee013aebc138b8dc7068ebecbc2097b14a0b21dae06621ae4e7db8a877af96b924c4c3014b
-
Filesize
1.1MB
MD5c047ae13fc1e25bc494b17ca10aa179e
SHA1e293c7815c0eb8fbc44d60a3e9b27bd91b44b522
SHA2566c30c8a2e827f48fcfc934dd34fb2cb10acb8747fd11faae085d8ad352c01fbf
SHA5120cfb96d23b043bcb954cc307f85e5bbc349c0c8a0c6eaa335ea9a8fa19ce65b047f30ed0049562d40880400d4f70e3bb28975d6970f3ae4af6da1ba06e36d48c
-
Filesize
157KB
MD54a99cb402c0d843b61a83015e0d3d731
SHA1ac59e7722c85fef8050a715e6f4c3a3e5085d98e
SHA2564ae3f7437a6991db64eac8e5d2fa02e9edce56ad98aaa273006963fed39548a8
SHA5121eceb6ff5f53a98e61f21c90de9242e46c9607817eeb7ce77f500a5b225e123ac52b357c7729b334063cd8c8b37c2fbe38e76c1a5ee77244b176aa3e08d7eb18
-
Filesize
1.2MB
MD54f43217ff7e7fcb652b20534150b9f0d
SHA1035e35018b9c88309c8fdd7edde4d3add42606b8
SHA256223b47f477447d6584a7d27a10e92694a5a9c4c3823e126a2753a1e700128017
SHA512e06b90045ad605de2fae14a65959e684d4a64a85dec8eedf26b179ca16d3d17601afa2766a4cbde4f2061f70ee99f4d9746d7edc1a0e93648abe366616560479
-
Filesize
65KB
MD5d7046da347cd1c24f9af82a326413734
SHA1a8ecd6cd212e0b866ef9611bf07b6826262da0c4
SHA256580209f46352f01b832c81a836e72d05819d33502f51bdda6212eefe0b7675d6
SHA512cd0327dce2c68ee800e204972a88afc30b59e93847a4837fb72ddb2ee0de73e40b8e4450d7f800d50adf239ee0bdf6a1818e21c05677d1893906fc898f59c9de