Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
26-07-2024 09:25
General
-
Target
file.exe
-
Size
348KB
-
MD5
bea49eab907af8ad2cbea9bfb807aae2
-
SHA1
8efec66e57e052d6392c5cbb7667d1b49e88116e
-
SHA256
9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707
-
SHA512
59486e18be6b85f5275c19f963d124f4f74c265b5b6dfa78c52f9243e444f40a7747a741ccb59bf1863ffb497321324c803fc967380900a6a2e0219eb99f387c
-
SSDEEP
3072:oh2eRgJtqxVRGKf8OGiLOnXChCrmqSOLMKTJGlRayuEpZTPckmRmVfL:URRgJtqpGO8OUnrpbMKT0lXZT3p
Malware Config
Extracted
vidar
https://steamcommunity.com/profiles/76561199747278259
https://t.me/armad2a
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
Signatures
-
Detect Vidar Stealer 9 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 12 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
cURL User-Agent 1 IoCs
Uses User-Agent string associated with cURL utility.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\ProgramData\CGIDGCGIEG.exeC:\ProgramData\CGIDGCGIEG.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\x7ul92put9p39g1knrz6nu.exeC:\Users\Admin\AppData\Local\Temp\x7ul92put9p39g1knrz6nu.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\sc.exesc.exe stop RDP-Controller4⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore4⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc.exe failure RDP-Controller reset= 1 actions= restart/100004⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc.exe start RDP-Controller4⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\icacls.exeicacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-184⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\icacls.exeicacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ZsL2hKzmRChz.acl4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\CGIDGCGIEG.exe"C:\ProgramData\CGIDGCGIEG.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BAKKEGCAAECA" & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 103⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 32882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2888 -ip 28881⤵
-
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeC:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.4MB
MD5e9cebb30948e986c3c16e0c9ef8ec9f2
SHA12f8b30106fe66b69c4920771142189a7b6c0c49e
SHA2563c96c92c11b1277b3569d21bde04ee9b33501aee5cb4aea08dac7dd41ff1845f
SHA512122b44a39318a5d5d4dca97d51a22baa6b2b7bd9f0dafea81168c05bfe745c7d29ad3522b7ced2a75e7bd98ecbe3524afd8c70522be2d13aac95e5f919a9f4a5
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
10.1MB
MD51455f96a3552bffcbd01fb90a2a4447b
SHA1a0beb097fb0f3fd1a83ef3d01bff8706a40b32c1
SHA256ce82112e8b4476b65b09fccd1cff9f2f088fe4837c9129de3d82caee138e6d7c
SHA512d2d8f7667cc44f136f34c30a8759c38aee3ffbbdafd1eb6329bf725f3c5cfcd1a0b2f64f9c12feee88680719cb4e3498bfc3d96927ef1f14ca6b4f1c79b52290
-
Filesize
456B
MD540ab00517f4227f2c3c334f1d16b65b4
SHA1f8d57af017e2209b4fb24122647fd7f71b67c87c
SHA2564baf4b78d05a28af7dee7dbbce2b4edf6053d9239c1756c932be9f2feee4ef85
SHA51275d74306f043b864295f09a60c19a43494c226664733c99318989ce5c22cb9395bb407fb5c8c0268ad9184a79813304ed5fc943a6b53db54f5f225cda31650e3
-
Filesize
1KB
MD55a31f34c74505786c35f20a18fd1bed7
SHA15867b547473479f41f486e06386c0f1aaebf0362
SHA256817bdaf480df1423051ba719b85e4403b7d2ba1c785bf72b39f846811c74d58e
SHA5124a0e63e5895df3c3cded65cceb5dc654c6b7c4e159116d484b2db59e6a5abad94342f7e22e73743563c4eb3225a8716417fdbd20f8b7547cf74955d0b895202a
-
Filesize
214B
MD591d86e531fece0d34ad78d947fc7331c
SHA152c9a7c16634637e9db31a6ce63850dfb170b44d
SHA256a885c71096995389df3015b194b9ad10ae24c4328f4322932d6455398b2fc653
SHA5121ee4ed0f8045670dbee2c5c4f8100c362b84c1ccc1a2e7f4fd1e97ec057055f1a8dc75a0ce349cc01dbffa2b18e7c7c2288845641358ca3a609b0e6fbd9f49b5
-
Filesize
102KB
MD57d37ab1e97bbc8593665ff365d8c96b7
SHA1b42a6717f91a4c538a4979ab1f0a9cc58485061d
SHA2561da31243257b0ebc79ba57ca98e6a3a1996cc4e2641e96098561cdcb1fa3ee46
SHA51260b3683fa7bca42932e02aed4615e67264f31d6f85bebcd3ea7187b9f7a9f79270341496432c07f7e9b10a3172af22d636206fa5b89514a693405ec9d61f678d
-
Filesize
90KB
MD5fb3bdb27d9c479148f3545ed99e65980
SHA1a5860563de81d8b74a1c842647e8f4ac7655842a
SHA2562b5dc45e89700d4b991added1aa097641d60932b7bbe2c12fc8536b9d46f15a6
SHA512a26d4b169c4061fc7a2a5fefaeb4aae0e9a28211fa28f42b929eaac3721dcbdd17a17ed6e77a79c17d93355cf85e4c46118e42d4f527adf054ab1cc79c8b4d74
-
Filesize
8KB
MD51256da672b8f39a275fe17e6c716f822
SHA1b156c2186056cc5bfca84549dd53f796936b2f6d
SHA25644dc1f938213e09a6ef6a64a9f14804530ae53f41e71813efaf651d9516e246e
SHA512956d431c83ed0dd59d6f1f3101dcbcad0c6bc1e06031141aaa236f7115a6cdaf95ccea09e42cf1047d2205e8b37f87ea17bebaabfb9c85b96d6fa12de1c7f403
-
Filesize
64KB
MD5166c6727028bd4f428e411ed225117c6
SHA1d08cb3e69ea6cf633349f990229e87cba4bcd72a
SHA25663a0993b931dad9dccf08ea48a0d8e8ba94652eda5bc84f787e640cdd0fc800a
SHA51290edf532080c61e9fee3b8c884e8894b8a52955410489bbcba3a53ab7a2e291ec2d382a2cb1f5b304762207cbc1971f4a440281a5653257e7223ce171b3646a0
-
Filesize
10KB
MD5e294a1213bd2bc79b2a4a3d9fa958ed9
SHA1a25e519a5ed6dcd4df54ab45592084c76cdce890
SHA2562f925ee2bd1de1807df22ab14cb4839e3a906f04909a1f4bf0bdaa273f8aa505
SHA512cb436db21d6d18c8b4a24688d60e729a7a5b22584f491244251b3cc73a055352efae8f2e80904e806c09e7db5146545f71944b3de0320cc124f414219d082f67
-
Filesize
80B
MD5b8ae8d59070cc4a55122a86577f0546f
SHA10b1de4705aa4bc5ad6114d25b0d80766e9d5231f
SHA2561df5c5165d9d12ddfb02f6c426d28814c321fd81b19b0a096250b080eb8ef2a3
SHA5123f6888be13c2ed585770497bc40d49f8660a028d357d91c521823ad71f76337a1100c57f0ccc35bbd0098876bac6b6b5e9dc2ccccdf44e5b0cfd7e4750fa98b7
-
Filesize
720B
MD5f1da01d8d9e8da46713ef183ac9b3cca
SHA18d2c7e7b30cf3afa8d90c7bfcf60471ca1bc5f12
SHA256dee10e8ee04528b548aad3728e54aa03e38170d8378d114ba02e6879fdc293c4
SHA5127a7b45554bc1f2e673d429058ded2e989b69d0d8baaabf4ded1f8f3c5b3b5155eb9295e028e9fbb75c107f21ee615abbf7dac2bb3f1ffaa9d0db955016515a34
-
Filesize
455B
MD5d1eefa937c016b30eaa14cf8dca24a7b
SHA1a27aefbef140266eeff11f95339cfd8e899b150f
SHA256705a7d1fbb619455405a44b0134bca8611f58704781120c9196f6eee115a1007
SHA5125dad45c2e7862f8b681951377806e57e46e4460df5a6975b85a4485695561044dee5e6cb90181d134db9f08893bbaee6cf524eb51d58b29d8d4e4903b6ac886a
-
Filesize
96B
MD58b02f2e0b9a27293c6ebfab87eebfa4d
SHA1f3e0648bd1e0224e622efaacff48f9d69d87edfe
SHA256a7708c05ab0eabfeac65f1c12caa2e8665c1a5bb53c5fff38d50f4e5b88c47f7
SHA51208f6e8158c48a357506f2a49ba567984b4a7189dfbc12bdcbc109e33e8cbd6ea35049aa2a85af94d0ed64c7fb34811627faa069b8c4977ce3b578ce33f4e2867
-
Filesize
8.7MB
MD5fe7ed803a7f672faee4587732b2c6e0f
SHA1df209d1b055044abf4c0a6d4de3ebfcd8d7784e1
SHA256154c3dca584bb1f78c7ae7688d70998f2b62bed8884267e3fcf150bfefe2c9d8
SHA51206e185f1689e7b5dfef6625d99ff14dfcff6c2203e9be323fed3b6a9684c5179964969546d42f4639db878903981bb15e0a8f62a1c5b2b0a47fa3496e05fdd3f
-
Filesize
87KB
MD5cfcbc15615ffc698507d32c0a7d21134
SHA1f6dacce59f78ca4ee6622c4a340923282ec3adde
SHA256a653f5dbeb0ddecbc16c70b0b8c9471abb30c66032c2ee951dc36265f899d7d8
SHA5120ae08c2a2d56b976cbd748273a7ab8011f3eb82a22d58ebf44b73602ffa808e9a111a60ae250d441d11196522fd4c1aa6ec79193375effdc0207ffe7bbab61db
-
Filesize
12KB
MD5cb8e2471b607763501d5aea46aecc906
SHA1f0ab48a5db9ac561fafcdd51d5a6defcec4fd453
SHA256331e8ef2d344a76cd7b600338685de2d696bda62417fc06478db4c77255f8634
SHA512f67beddec92078817acb5429b2ee6c8667b555403c77892e821640a0c31686377d456cc56ed1eb3dc6f5b859b278fb461da8b4c76af48b82e5724ecba09bb816
-
Filesize
103KB
MD5b85fecc5e81d0cfbc3750c06e4a11412
SHA10f57603db18bfe0a5ee50d618184e9ed4fcafd7f
SHA2569fd76374c6e19923f99411d6f9bbf6614c94d81cd47630314c2ae21a94df40a8
SHA51297d553317bb4d276e7f5f3c5808dcb8717319047512def6b96da17d57248ffd5e374833a98f767f14bd8f3059de464f7829d47c65d969be868431faaf6a61c1d
-
Filesize
126KB
MD5fef8651f5f797f30a37d7cd36bea31ac
SHA18e85d22fb5247a69c1298d703d629dd46bc44c74
SHA2564083f67d11e7df827bff6c665b29f39fb197b4ba608d5c39ecff46ea9a0b61f0
SHA5129c69d66690080a341c25eeb9e258fde4dd4e94b80af0085753e758378c1e1790faef48c7384ad5171c63be156c68d0f207ecabf78d8ab5f367e04d5a34828851
-
Filesize
36KB
MD5e3e4492e2c871f65b5cea8f1a14164e2
SHA181d4ad81a92177c2116c5589609a9a08a5ccd0f2
SHA25632ff81be7818fa7140817fa0bc856975ae9fcb324a081d0e0560d7b5b87efb30
SHA51259de035b230c9a4ad6a4ebf4befcd7798ccb38c7eda9863bc651232db22c7a4c2d5358d4d35551c2dd52f974a22eb160baee11f4751b9ca5bf4fb6334ec926c6
-
Filesize
113KB
MD5d44fbd8760e79f5d950db5bc6e86a398
SHA12175264673a9a5b7af024d8e8f28879b1758abc8
SHA256ad38977d88e19c24793c6aee42b6389536b6879faa50e2438350f140247a9df2
SHA5129fd106939bf686d53676669755272cb59b2ccb7909be27b40c7261988264e801cdc94503f3ed70b95cb0980c65153aa0cc66ca764c053846c4626fde86e122e0
-
Filesize
89KB
MD5bf5d5ba471ab0266f991095fdcf74140
SHA142e890322966b7f2f9802c9e22269ed339c2969b
SHA25691db57a2b77ac18b9605b08d7b926f9dc32c7e7d6f4047fba0270a4403c288bb
SHA512b9f0113802c113f9ff5975989cc6cb9735cbe62d881e009fe853938604837996412332679c7eb7022b734401b2580d116566f7ba51ca62f787cf1d617b9ebc96
-
Filesize
424KB
MD58cca461a362ef864bdf35edde9f8e7a5
SHA183e7254eaa34c130ea56965e4cf46610aaf69c8f
SHA256785639d13771b021f191ec60e1c8e3e2efea164d2005f297a24559aeb0f58ccf
SHA512e01b175fad5c6f718c9a504b49a516f270a93a277d8ccd11a41713cc337489fa0fbc3176b629a9a368a65d48cc31685f02db6fdd486b91f31df9f621e636817f
-
Filesize
10.0MB
MD5b19dd73939f4d3249e87008653bfe5f5
SHA1936a1de5275e0ea2e4bc9be7b724736b135b5be4
SHA2567403bf80da0910e3279fa603ae2d573b06f11d3d72585664965e593dac92a0b6
SHA512103918920927c6e8bac17293ab24e2e543b69fe3455e345faa8a43c0b10f00827f4310552611ec349a1e3b6b02bea8416a5db52fb7a86a55d9e3d4dcf5fbf7f3
-
Filesize
112KB
MD5e6cac6acd18d0bbad9c2384b1dbede84
SHA163004a83ff18cce911bc74d27c1a2b7bea9cf4c3
SHA2569bc6edd286f4dcd83e57b541bc99038f7e902de943a6fd528ba485df1187ffa8
SHA51243c745d49ab82809c24e5ee62e11406b12b695140117eb1012111eea3b73f9b34b5ade21a1db3aa1fead982f266b05646a08a4813cba2ea950c59a73ab069fb3
-
Filesize
10.2MB
-
Filesize
8.8MB
-
Filesize
140KB
-
Filesize
8.8MB
-
Filesize
128KB
-
Filesize
8.8MB
-
Filesize
128KB
-
Filesize
148KB
-
Filesize
128KB
-
Filesize
124KB
-
Filesize
128KB
-
Filesize
144KB
-
Filesize
160KB
-
Filesize
8.8MB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
188KB
-
Filesize
1024KB
-
Filesize
188KB
-
Filesize
2.3MB
-
Filesize
32.4MB
-
Filesize
2.4MB
-
Filesize
32.4MB
-
Filesize
1024KB
-
Filesize
32.4MB
-
Filesize
2.3MB
-
Filesize
32.4MB
-
Filesize
2.3MB
-
Filesize
11.6MB
-
Filesize
204KB
-
Filesize
11.6MB