Analysis
-
max time kernel
98s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03-08-2024 01:01
General
-
Target
theoryspecializedpro/theoryspecializedpro.exe
-
Size
7.9MB
-
MD5
680af4923dc7b8ce1c06516ce06d17d3
-
SHA1
1487fcbdae76e1ebb5d55b9f76692959dd2cd5a6
-
SHA256
6ae6030e6222a1400ce938e2ad2086253f1ff6d9d07b0be35fee6853e87bedc6
-
SHA512
e8b7cb2e6e791716159ed7906d3f0e0972a8a1b58a2ce46781adf5f45da3fdfc88b782153a3bde15719b25d489a2f12266d23f20a25b956e3dbf9ea7f95a67f0
-
SSDEEP
196608:R6q51jd2HCwufvfbc7Mh7gOwQc5zlSJp0IV3DtBmS1aj9lF9q:RBd2HgfXbqMh7Ux5zgb0KRkS1YHj
Malware Config
Extracted
vidar
https://steamcommunity.com/profiles/76561199747278259
https://t.me/armad2a
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
Signatures
-
Detect Vidar Stealer 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\theoryspecializedpro\theoryspecializedpro.exe"C:\Users\Admin\AppData\Local\Temp\theoryspecializedpro\theoryspecializedpro.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\theoryspecialized.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\theoryspecialized.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c timeout 21 & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 214⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KJEHJKJEBGHJ" & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\theoryspeciallized.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\theoryspeciallized.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c timeout 21 & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 214⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
5.2MB
MD54a611572dfebc90e58361a47f7c7b931
SHA16eb472c77fe28d927757bc48917aa1356f9ef1a6
SHA2564c9f676b75807cb98edeba860a97a42a6451191006627c0ed9f55753e24cd8d3
SHA51252030edbc998b80c0d8562fc2d5d3a58bf2f1309f1f7854a8977731aaf4ee2de7b75b6f6b6ddf427c8378544e213a869f2092edfeefa8cdc5105b4bfbc39800c
-
Filesize
2.6MB
MD519994cf76dff91cc200e41ec7f616e88
SHA1ec7757228810c3ec63dd8c99f89b0f0051133d6e
SHA2567de8d59387105f4d8d7b721cc7ac5202c9735162f5e56d53a32915568e5c9b6f
SHA512810e995ac8ffbb889b692c8f81fff105ddaac292f20863d4c6868760d43c3ed5c321c210c31ce61f1cf3f0a057cac18da229c952420ffc042df690e752000368
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
920KB
-
Filesize
7.7MB
-
Filesize
920KB
-
Filesize
4KB
-
Filesize
876KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
944KB
-
Filesize
7.7MB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
4KB
-
Filesize
920KB
-
Filesize
7.7MB
-
Filesize
5.2MB
-
Filesize
304KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
7.7MB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
7.7MB
-
Filesize
432KB
-
Filesize
920KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
336KB
-
Filesize
920KB
-
Filesize
2.7MB
-
Filesize
2.9MB
-
Filesize
1.4MB
-
Filesize
960KB