Analysis
-
max time kernel
136s -
max time network
142s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
29/06/2024, 12:36
General
-
Target
Setup.exe
-
Size
675.6MB
-
MD5
acc3282f8baa586c256c7c1b6ff4522c
-
SHA1
463d8ed383ad2a36a9df93dfefa493a2a95f4445
-
SHA256
2d4a3b606626c54ef71e06abab01fb69a3ff26e8c7d5322c12511e5d8bd52dc4
-
SHA512
e9e7321bde05e5e0f882bdd99695990dae509c24a168f017f8b83b332d350d8662e81bc380cae64730d9eeb6bccbd6a2c2a6a6aedace7a51483b4251a49ca2ed
-
SSDEEP
196608:i0bq45mmYPrOLaxhWJVXdgvY23Jj/W5PCtLwFRpeZApj6bZy3yIhoR0LrLBsyyS3:bbq4o3jOLaSbKY2N/6CNyRp9j6bI
Malware Config
Extracted
vidar
https://t.me/g067n
https://steamcommunity.com/profiles/76561199707802586
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0
Signatures
-
Detect Vidar Stealer 9 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nodealt\JRWeb.exeC:\Users\Admin\AppData\Local\Temp\nodealt\JRWeb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nodealt\JRWeb.exeC:\Users\Admin\AppData\Roaming\nodealt\JRWeb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VIDA.au3C:\Users\Admin\AppData\Local\Temp\VIDA.au35⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AEGIJKEHCAKF" & exit6⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://temp/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe185c3cb8,0x7ffe185c3cc8,0x7ffe185c3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,12045506691970760653,13403520331212911544,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1996 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,12045506691970760653,13403520331212911544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,12045506691970760653,13403520331212911544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,12045506691970760653,13403520331212911544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,12045506691970760653,13403520331212911544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\nodealt\JRWeb.exeC:\Users\Admin\AppData\Local\Temp\nodealt\JRWeb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\nodealt\JRWeb.exeC:\Users\Admin\AppData\Roaming\nodealt\JRWeb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\VIDA.au3C:\Users\Admin\AppData\Local\Temp\VIDA.au35⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\winver.exe"C:\Windows\system32\winver.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5ca23305ef4d62a55954792dbd2db5515
SHA18edb048fb64333652e2822c12eff2fa888744078
SHA256f08f37de0b404daabed9a3628273e365e4053d26a106524ecb50c87c5770e269
SHA5129a447dd0f9efc13d09cec9a730cd3fa6cae67bc60c2ae6177164bd2b9386561ce8b8ad05c47bc0d31d72102ecc24d7aa0c1cfb0e90d2bdc3807091836e76db7d
-
Filesize
512KB
MD559071590099d21dd439896592338bf95
SHA16a521e1d2a632c26e53b83d2cc4b0edecfc1e68c
SHA25607854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
SHA512eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668
-
Filesize
152B
MD5bbfb66ff6f5e565ac00d12dbb0f4113d
SHA18ee31313329123750487278afb3192d106752f17
SHA256165401ef4e6bbd51cb89d3f9e6dc13a50132669d5b0229c7db12f2ec3f605754
SHA5128ea206daabc7895923f3df9798bfd96f459bf859c78f3e5640fad550678b5090539f2a1b590883cd9797efee999acccac16d499772f61f5390e91bcc44d60560
-
Filesize
152B
MD59a91b6dd57fc9c4880d34e9e7c6b760f
SHA177a09da6ef4343a8b232386e000cd2d6b9fc30a3
SHA2560170297f0103d4e415653f86dedc31b0827580042f86862206fd3f6f135b543a
SHA5129fc3b9be931b3edebc4a6809d62d805046bdceb4c27a7db21cfbbcb0e5e253ab529c54d64e465e60904a6ab3b83156e26b97f852c9526f46f037944f806a7f0f
-
Filesize
5KB
MD534b1b00982ca21b5e71ef1ea9a78d7fa
SHA18cfbecd721b0e005aa5f1ffc92fd405730810fe3
SHA25641aaec399584d7b5f20bdf48d7664cc3e6dd04e237e609f82d9ba4652c8bfe03
SHA512e12448bb441826bb41490c35ba61ce70e178d5a2ab3b556201271685bbde84cf5712f662769f87454459f1040dd02b02c74108aa8222b6f86e44bec368bf4abf
-
Filesize
5KB
MD5ab8d2cae4410b8e3bb3507247b084e9d
SHA150ba616efa19a1d43f212ca91bcb36b07db72737
SHA256f5f43b1b2ca6a4f449c1a1b4d25114d5de002479ffba4ea520e9a03243c1be7e
SHA5121a595544a6f6f52b274b30c4cb414e36e14df0d9ba5d68b34bcc3035e251efaef472066750e43943d69669ac05d0aecd4e8dda66607d61b75b609a1ef6c16d4e
-
Filesize
11KB
MD5fbbaab7e115d5579cb435f2c5e6bbb04
SHA1243b54c1d943d68e6d88399ab1e8d79864198a25
SHA256f58aba77b7c3ddd2b1330c33f6dc580418659d9ed31d2b9a1f7f252d249b7faa
SHA5127a301e2d25389f99fb4c784d4caeb9a42c7a0c38f8b6d878534307a089bec205e5b469888c766eee982adc32adbbd4479a9573a769eb81ab5046335219c5d89d
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2.3MB
MD590e744829865d57082a7f452edc90de5
SHA1833b178775f39675fa4e55eab1032353514e1052
SHA256036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550
SHA5120a2d112ff7cb806a74f5ec17fe097d28107bb497d6ed5ad28ea47e6795434ba903cdb49aaf97a9a99c08cd0411f1969cad93031246dc107c26606a898e570323
-
Filesize
1.7MB
MD5f90a3b3c91a2e1a0d2d48267d3f93c2e
SHA1043d2071ced2d2513176cde58d5e35b5a44c5d46
SHA2568a2edf67c6091edbc1172369a8672996c82d4e3857c992058f19f63abd058005
SHA51266deea1e3e9fb2670f363adcf4e300376813e97b7f7474e425c522a007ce00c8b0d3a06aea603a16539dbbffb8c9d2bf8e0de143ec8891dbc910d6e1a3664d1a
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
3.0MB
MD5296aee37aa4a381e48dd9b696841c788
SHA19d2eb33549f04089179ce4f6b5d7ad05981401d2
SHA256c43902f540257932cc7e61f782bf3050af5cf0f15632bc76af1e633febf4def1
SHA512e502eecaa8936c038b53e5ebe747ce188f524a6beebac9144948604870efc9454008220ef9713ebcb2a6943114d3417c04c198c5bc02f88fb5024cbb4274d02a
-
Filesize
1.7MB
MD5be02fd8bb7bb6d12bdceaca75a622be1
SHA1d11372d105df847f65ff5093cdbf088d6bc029cc
SHA256c9a6f3d7eb30667bac707102be5486e56491b19e917022c76c0fd7ee7c36a6c0
SHA512f4b94d3dfacfa99525e6ee603322bc41c61c9e311c84909a225c3abfc0b55f14cd9fc344132fc08cf0e2927b7c863948f17c9f61f6b03818baf147bfdb828e51
-
Filesize
1.1MB
MD5c047ae13fc1e25bc494b17ca10aa179e
SHA1e293c7815c0eb8fbc44d60a3e9b27bd91b44b522
SHA2566c30c8a2e827f48fcfc934dd34fb2cb10acb8747fd11faae085d8ad352c01fbf
SHA5120cfb96d23b043bcb954cc307f85e5bbc349c0c8a0c6eaa335ea9a8fa19ce65b047f30ed0049562d40880400d4f70e3bb28975d6970f3ae4af6da1ba06e36d48c
-
Filesize
157KB
MD54a99cb402c0d843b61a83015e0d3d731
SHA1ac59e7722c85fef8050a715e6f4c3a3e5085d98e
SHA2564ae3f7437a6991db64eac8e5d2fa02e9edce56ad98aaa273006963fed39548a8
SHA5121eceb6ff5f53a98e61f21c90de9242e46c9607817eeb7ce77f500a5b225e123ac52b357c7729b334063cd8c8b37c2fbe38e76c1a5ee77244b176aa3e08d7eb18
-
Filesize
1.2MB
MD51acf3a2fc94574480aeeaa875c041521
SHA17d7c2e2cb200a6d79467ada52b37a4e4aea8d80b
SHA2565c88b8bbeb0c631f7918c7e2ce9b1b7a90a84504639cf8d589d09c484625c6e2
SHA512123b7a86e805e80a0b07606450acc474f8a20fa9475034b278043ff4cb049834738d04f8af04347c9e151b2d711f287e767d8d3a395a81ad0fd6b983dea078c5
-
Filesize
65KB
MD5d7046da347cd1c24f9af82a326413734
SHA1a8ecd6cd212e0b866ef9611bf07b6826262da0c4
SHA256580209f46352f01b832c81a836e72d05819d33502f51bdda6212eefe0b7675d6
SHA512cd0327dce2c68ee800e204972a88afc30b59e93847a4837fb72ddb2ee0de73e40b8e4450d7f800d50adf239ee0bdf6a1818e21c05677d1893906fc898f59c9de
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
14.7MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
14.7MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
2.3MB
-
Filesize
2.0MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.4MB
-
Filesize
2.3MB
-
Filesize
2.4MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.0MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
