Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2024, 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.0MB

  • MD5

    63787e6df0b85a10bd1132dfd3afe6c7

  • SHA1

    eac8d56fbdafb416169733b19beaf28a16d1c02b

  • SHA256

    1d40c76cecaabdf1e1d0004aa15cb469aa4374d1d0b2e48a47e588b1f84113d6

  • SHA512

    ff918db3ff75cc046d351fee632714cc2895773905ed1c70bcf12f2e13ef1ff34b943b58d93e9b5620e9104cff8130859b4a4e07925ee063766fe08d107ab395

  • SSDEEP

    24576:RzZyLptSB4iQTOnBWKt2Cqh+cwAtEspRStDH:RNB+kBWU2qcjw

Score
10/10
vidar057d037117dc13a05f53caea44d69e65credential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

Version

10.8

Botnet

057d037117dc13a05f53caea44d69e65

C2

https://steamcommunity.com/profiles/76561199761128941

https://t.me/iyigunl
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Signatures

  • Detect Vidar Stealer 7 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Monday Monday.cmd & Monday.cmd & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4600
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5080
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa.exe opssvc.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:320
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:960
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1800
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 287228
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1052
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "CupsRoseColdTemple" Dried
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2348
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Sean + ..\Personals + ..\Sisters + ..\Accurate + ..\Reforms + ..\Seeks + ..\Wide G
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3844
      • C:\Users\Admin\AppData\Local\Temp\287228\Newbie.pif
        Newbie.pif G
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4844
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\287228\G
    Filesize

    430KB

    MD5

    6261d0d04934edc2021cecd9efde267f

    SHA1

    e8a9863b980e0467c170a672aeaa32079bd0aca1

    SHA256

    52c92ad7b293347000ebad19aff295cc6f62bb218bcb2673931cdfe244f63063

    SHA512

    489fe9f3408c235d32f9750cfec60678bba02a64def7f93aea38c4c4321032597b4ae1c8c796100e229d86d5b7a4d8144f0fc0686b09dbb8575c6c3924e39923

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\287228\Newbie.pif
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Accurate
    Filesize

    70KB

    MD5

    86b928224b489a52df6e2f86fe93b03d

    SHA1

    8bd998a4e0314ffbc01f3e1302b55c6da8f7da92

    SHA256

    2697305e81a99b9a947660c7d1f403856f58ba8be7821a7da7fdf2e5df226166

    SHA512

    127ee1b2727d4d148b8ee0b705fb0e5478500ef2759fc4d04d451aba67329049dcc51965886baa0c53f8924593ccf527f62cdf9ee849dc3930a760023e505e73

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Covered
    Filesize

    871KB

    MD5

    7f390ff6cb070c1eef18913ca89fb116

    SHA1

    930081918a896cccfbeafd5dd1216ef1d4b40f3f

    SHA256

    e196cb9a07d65dd23f51e1a1343abf88ec7937a8b37e86d257ddebd95ed23563

    SHA512

    3ba2e20cb0762e39d2b2a03729d45cb001f19011c638cd0adffd4e1a88a4048fbd76d7b54e489adeaa927fbcdc899c47373346967736db68cb2d99ea1c9211e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Dried
    Filesize

    923B

    MD5

    c921c5d969228b0a434965f6811f2fa4

    SHA1

    a48cbc871b077769fd8d042a55f058a47aef35e7

    SHA256

    1124cc8fa0c74e7afc30991d84757859482aaa78bb5a41ed16958fe731bc96b4

    SHA512

    ceb7f6126d773a798cfda30bb7d36d1bf760d176cf2b87207873a375c57fa133343b68f0526561607e94ac03675dc6eafe8790304611dbccbd572d22d4bf6bdb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Monday
    Filesize

    7KB

    MD5

    3eb198fb1b67eb2f082106bb255dc745

    SHA1

    84a228c0a4b1edba32a2251246cdfa620ffe781b

    SHA256

    3e06ef6ea9b11bc0a9688f9767bee5ece3a94c9d1a06ab9b13600b229972d9b6

    SHA512

    bd16e14a35b88c0989e1518e0132799cf035ac039944bba7ddc77a13b4aa7f9e749241b98b646796f96e259f1288b0f927a0ff2885118978fc1e6366a5f8ba17

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Personals
    Filesize

    57KB

    MD5

    4adf5737f34a4319c8c13922b2ee7b2c

    SHA1

    cfa8b5188f28e9e3cb69d607a0e06ede7c989449

    SHA256

    947717f4c2669fa6cece6c3cd377ac1abc4f843edd366cda3e3463f9c9da4da7

    SHA512

    d909f8d2deca1cc61782c5b2e252abe0fe7aca5284dd7e2422f7df993a17d1eb5eb6b44b34d3ab088c355b4a8bb7b4fc34fed4f66851da6d257ec7786ff86d78

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Reforms
    Filesize

    58KB

    MD5

    9ee271fa1bdb3b7541beec9d6d902639

    SHA1

    20d55b4b1d6b0641bdd3959c6bc7aa1d07e65384

    SHA256

    231f4b9879fe4c6780678df58a96139dbdaf2febdfdcc66be341898a5a53e28d

    SHA512

    8e790009329240556cd95796f2fee93f73b773925077d44ee060754810867656be5082c83109b52fd99ad48d8ac84f1a018056181233e7e5171793dd6297d6e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Sean
    Filesize

    89KB

    MD5

    0e01cf39db0d8427fd3595c9b18344c1

    SHA1

    c74b40bf071b10a2ab9c22e835d479125c15e076

    SHA256

    bd8d9df4c743109da71de7f66b91001c0586d6d833465b6d5a9e7749f1e053a0

    SHA512

    b51048e11a5928aab18d9c30d924a1fd31f851b7a0f325716f7d67b12e4e5de8763ffa040dfe0c5a5cdb7d6590afa777b8c67009ea898e72f659a9e11be52612

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Seeks
    Filesize

    79KB

    MD5

    3712e812a78834d7aa69c12997af91fa

    SHA1

    ca2012ef7da7b1a7a67cba4c9060977312022387

    SHA256

    00b103476cdad44aaaec2e46f0dcd2efaa2878bdb22b3136927dd2da5a800d9c

    SHA512

    f98b3c3abefebf8f9c5ae7b5d7ad622a5891836dea654659c7c137c90f7bc286834e5a612dccde6eca260ab12851ae8637d992dc3e4a4716160a581424c4705f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Sisters
    Filesize

    62KB

    MD5

    bf720c8d92df223cc60d80c60156bc51

    SHA1

    0fcac1ea0db937218434c6d1fb718c7cbf33bc14

    SHA256

    2546b099519c23ce35883d567b1f838ea6d1b2345790b3365a58a215a7834fd7

    SHA512

    3369aff6dd1cf3084f322ac33f76cee5f0a511525cb0ff3fcf5ab3b447a75bac02a5bbceb5c7e6dc34fcffba5ec2fca1ad7c4e0a2c2fd81d179a16f6e046a2cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Wide
    Filesize

    15KB

    MD5

    fe4df561b372a9998c92b74c3f32d039

    SHA1

    c2f7d9e7bea882c9a35bd46cf6ba04b6f78a7b9a

    SHA256

    873a6fbee241e07ee2daa7b22ca65de6af171a3b1fc1518d87b50071117f254c

    SHA512

    c7d7bffbafd8ccde21cc331911680488d73dc8c13cd78c9fd35f5fbf872436486c4420c98387764ed98cbe9aefcb3c9fd3286085a5108e37950b07a6b1372a96

    Download Submit

  • memory/4844-30-0x00000000043D0000-0x0000000004611000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4844-28-0x00000000043D0000-0x0000000004611000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4844-29-0x00000000043D0000-0x0000000004611000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4844-27-0x00000000043D0000-0x0000000004611000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4844-31-0x00000000043D0000-0x0000000004611000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4844-32-0x00000000043D0000-0x0000000004611000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4844-41-0x00000000043D0000-0x0000000004611000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4844-42-0x00000000043D0000-0x0000000004611000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4844-43-0x000000000C5A0000-0x000000000C7FF000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4844-57-0x00000000043D0000-0x0000000004611000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4844-58-0x00000000043D0000-0x0000000004611000-memory.dmp

    Filesize

    2.3MB

    Download