Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
16-09-2024 01:35
General
-
Target
b802eb0f4a10d4aecc9015ee86ddc9b1249212dcabc2ecb6aa97418d0de7722b.exe
-
Size
68KB
-
MD5
5a4ccccb90b0aaa3b248d4f0dde38823
-
SHA1
be8f1d791a81696cd58e7f837a97aaea58eeb26a
-
SHA256
b802eb0f4a10d4aecc9015ee86ddc9b1249212dcabc2ecb6aa97418d0de7722b
-
SHA512
a75db1a19a6bc4f5a9c5437864cb01e5d139ef56365e3d320035fcfa65a713886f78a6fe2f3eb130e35bed1a25e4fe73d712b6e03ed6bb373e73a6c3a3cb7737
-
SSDEEP
1536:T7os4AvSdEcNj56sWOr3H8+wMiT8om0QSnouy8:TBvSdEcHWswxQJ0Zout
Malware Config
Extracted
vidar
10.6
af458cf23e4b27326a35871876cc63d9
https://steamcommunity.com/profiles/76561199747278259
https://t.me/armad2a
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
Signatures
-
Detect Vidar Stealer 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b802eb0f4a10d4aecc9015ee86ddc9b1249212dcabc2ecb6aa97418d0de7722b.exe"C:\Users\Admin\AppData\Local\Temp\b802eb0f4a10d4aecc9015ee86ddc9b1249212dcabc2ecb6aa97418d0de7722b.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\b802eb0f4a10d4aecc9015ee86ddc9b1249212dcabc2ecb6aa97418d0de7722b.exe" & rd /s /q "C:\ProgramData\JJDBFCAEBFIJ" & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 103⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
-
Filesize
2.3MB