Analysis
-
max time kernel
38s -
max time network
48s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-07-2024 17:20
Static task
static1
Behavioral task
behavioral1
Sample
software.exe
Resource
win10v2004-20240704-en
General
-
Target
software.exe
-
Size
5.5MB
-
MD5
1ed6f9d578e14edad0bf47edf1f6269f
-
SHA1
0e6546d7a7f237a4c094e24810fd4ab29ab6a970
-
SHA256
83b2f6c63dc3ec6cea64755ce2042ff747d52571daaef8a47934e00378f0afd3
-
SHA512
7481e391bc9fd0b0a30ca7464847e6ab0bbaa4febb8bfb33407742fd2e90f7fb0d88fd2ab0dc49fa499864e16a234d6f910926944c2a3ce337d614351dccfd60
-
SSDEEP
98304:zeL9fRCBL/JS6w1PMcf5blPwJp003KOIupEAjlgJHc6:zeL9ROL/Eh/PQbaObEACl
Malware Config
Extracted
vidar
https://t.me/bu77un
https://steamcommunity.com/profiles/76561199730044335
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1
Signatures
-
Detect Vidar Stealer 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3564-67-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral2/memory/3564-69-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral2/memory/3564-71-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral2/memory/3564-73-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral2/memory/3564-74-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral2/memory/3564-76-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
software.exedescription pid process target process PID 1832 set thread context of 3564 1832 software.exe MSBuild.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 496 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
MSBuild.exepid process 3564 MSBuild.exe 3564 MSBuild.exe 3564 MSBuild.exe 3564 MSBuild.exe 3564 MSBuild.exe 3564 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
software.exedescription pid process Token: SeDebugPrivilege 1832 software.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
software.exeMSBuild.execmd.exedescription pid process target process PID 1832 wrote to memory of 3564 1832 software.exe MSBuild.exe PID 1832 wrote to memory of 3564 1832 software.exe MSBuild.exe PID 1832 wrote to memory of 3564 1832 software.exe MSBuild.exe PID 1832 wrote to memory of 3564 1832 software.exe MSBuild.exe PID 1832 wrote to memory of 3564 1832 software.exe MSBuild.exe PID 1832 wrote to memory of 3564 1832 software.exe MSBuild.exe PID 1832 wrote to memory of 3564 1832 software.exe MSBuild.exe PID 1832 wrote to memory of 3564 1832 software.exe MSBuild.exe PID 1832 wrote to memory of 3564 1832 software.exe MSBuild.exe PID 3564 wrote to memory of 4152 3564 MSBuild.exe cmd.exe PID 3564 wrote to memory of 4152 3564 MSBuild.exe cmd.exe PID 3564 wrote to memory of 4152 3564 MSBuild.exe cmd.exe PID 4152 wrote to memory of 496 4152 cmd.exe timeout.exe PID 4152 wrote to memory of 496 4152 cmd.exe timeout.exe PID 4152 wrote to memory of 496 4152 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\software.exe"C:\Users\Admin\AppData\Local\Temp\software.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\FCGIJDBAFCBA" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- Delays execution with timeout.exe
PID:496
-
-
-