Overview

overview

10

Static

static

1

SecuriteIn...82.exe

windows7-x64

10

SecuriteIn...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 15:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe

  • Size

    1.1MB

  • MD5

    165c328dfa78a39f3aa2889904fb49ae

  • SHA1

    2c9456d25869b7c172deced0024d26c20254c067

  • SHA256

    8435702911a3d6ebac7acef5aff7bc30395427892c1ddf39647b912a93260258

  • SHA512

    963ffe6191d8b8e274677bd95c4a6e023313bb5060e2fac4012356405965cc784ca2b783401b8423f1dab56d378f86a54c4e7d6d410a2e49cfa701907471c0ef

  • SSDEEP

    12288:00grFXz2n/uSZRDQDwAqvGz1AqIrwPKBXMftHG9aYWulFHCLQS5Ms8:/qFU/FcSuRoEPmXG1Yvnzp

Score
10/10
vidar2e711c8b5340db8e327be6ebd943b70acredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

Version

10.6

Botnet

2e711c8b5340db8e327be6ebd943b70a

C2

https://steamcommunity.com/profiles/76561199747278259

https://t.me/armad2a
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36

Signatures

  • Detect Vidar Stealer 5 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Lips Lips.cmd & Lips.cmd & exit
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2796
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa.exe opssvc.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2856
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1940
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2872
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 736975
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2836
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "BooleanPrAntiBeneath" T
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b Hawk + Batteries + Buf + Players 736975\s
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2740
      • C:\Users\Admin\AppData\Local\Temp\736975\Trainer.pif
        Trainer.pif s
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\736975\Trainer.pif" & rd /s /q "C:\ProgramData\GHDBKFHIJKJK" & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 10
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1052
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\736975\s
    Filesize

    285KB

    MD5

    3e229c21110ef93ff681ea69c7b30d8f

    SHA1

    3a94449decf3f21d853fc7dbc09e520e4c3b4fe9

    SHA256

    72b4471718c891f8c25a7526149dfa59774008ac74de973e524d964247f0097b

    SHA512

    ab4546d26b4279fd0f53554b89b87d12bed024b46fc1191cb82c25a04b35471087bc03edc71cf7e799c93751f10f3aa1503048aaed88c1729c5b9c5984d3fb96

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Batteries
    Filesize

    92KB

    MD5

    ea3c09bcb898319b776b3d63919fa504

    SHA1

    b963344145ebbc646df99279ec60e9fb5ae37732

    SHA256

    72e51a5968b0b35f1977f7342604daab95c7ae314d0940e84333468c752f3ad4

    SHA512

    9c7223369bca073630f7f575de2e910fa1a8939142ddcbea685ed763f52660aecad0131be008f4b40fd20cd87ad3200783261e927b2d72fd73bd05f0820c6778

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Buf
    Filesize

    86KB

    MD5

    8f42832b644e206b408dc3ae2f89acd5

    SHA1

    d5b61eb0a52e69e2957198b396ddfabd4d8066bb

    SHA256

    550dbf9411d5fd38c0388a5ee460dc8ad598c333192f31d053c382b731f361a5

    SHA512

    e440ed87b928cf155e3eaeb1facbe3a4e141cfb4b2e0852601adb00da326a1b4d75ce42dd6c308923d9df596351262443d108572ef961b360ba07e8ace21d3b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab965.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Hawk
    Filesize

    93KB

    MD5

    99900f51ef93bcc0931acba1a7662b3a

    SHA1

    393e7396ff590f4079c39bfa43089eeb554ecd9a

    SHA256

    f7e26320c270a2456fc5dd6632df62af3852c9a26dd5946003283abd6dec6c3b

    SHA512

    a192ea0128e81795b9fb92552a9b7e2f7533c690f6fd952416abc3ecf382b0c33c7ed25308ac9832e7c264d3d1b42605f406601e3e559a0de26ffa356cc83a0f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Jersey
    Filesize

    871KB

    MD5

    f941cf7be37b239f2102bb05b3e36fb9

    SHA1

    f2c434c1e26ca4db3eb66f476b7459479eed0721

    SHA256

    be0b8bb3f6659c24d22062f4744672118a8b1e8eb53ebd2de5c3d9ca2472325e

    SHA512

    775cadba853a242ae6be79c2def769de498924651e12c452eb679855c777ff5f31a928df95cc0fcf08923c590bc5eb6cbe17368b214193b5ce99049788ccc36a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Lips
    Filesize

    10KB

    MD5

    d424f95514ea2f2ca227932c5d8b1a14

    SHA1

    c9e60f83ff0bac1c93628daaa9e2a11615bd058d

    SHA256

    2160dfa2ffe37e8de024bed55cf07d8309a2bdd05b7ae6b8c328406e11ae8639

    SHA512

    0c0a6a1e6b4057cb0df98d8b958e5ff422dcb30666519bb332dfc468bc93c7a2047680a0a9ce7fad5fe772a79410a81e91c51be8254f07eed80b0601318ec2d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Players
    Filesize

    14KB

    MD5

    13f08c77471dfefa2ac2d9871ec958e5

    SHA1

    4ce74ff3db310d9f9a36e38b727962ad329fd18b

    SHA256

    e0e05fa17f39ea6686525bd9bdda4616d00e298a0b70cc6106d081cfcb7bfba8

    SHA512

    56d30daddc51d9633d35f19ef7c72945cc5d7e5d18fb2b2aa7c97d92f6de7b72ce6f7e3ba3c288ca6a114d9b2e7b15d4de8306fbb12bf96d6c4076b7c8c8cbf4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\T
    Filesize

    982B

    MD5

    3d794b01d9059eb20160ce36a870bf05

    SHA1

    f22a4e7d0d0eaf4d8c0b93c2eb2557f6203326a0

    SHA256

    31cd814281753e78d2592dd77aeb540539f20b6e9e87d6ff71a9dece9f6d1f09

    SHA512

    d0fb112aa8d5d0ed286a13df66bf4b36e49e327267ee34ba419422d09a70c9454022cc7c8ed7b2ec57ddf91a8af9c35fdc5c2f7be8b912a7c64ff56b5a4e6018

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar9C6.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\736975\Trainer.pif
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • memory/2684-77-0x0000000003330000-0x0000000003573000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2684-25-0x0000000003330000-0x0000000003573000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2684-26-0x0000000003330000-0x0000000003573000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2684-27-0x0000000003330000-0x0000000003573000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2684-28-0x0000000003330000-0x0000000003573000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2684-24-0x0000000003330000-0x0000000003573000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2684-78-0x0000000003330000-0x0000000003573000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2684-23-0x0000000003330000-0x0000000003573000-memory.dmp

    Filesize

    2.3MB

    Download