Extracted

• • Target

    SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe

  • Size

    5.5MB

  • MD5

    e0dfc852c37571b8468b2d17f573a12f

  • SHA1

    38ec845f203450b7d6a51e9a441ab609b5ff1100

  • SHA256

    1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541

  • SHA512

    783c27474e39e99a4ab153f6d42f2b9808df2ebcd3b4299c0067ed9e21d635ba92505d21b96ccf512ca406a36ae9770ffce85e36842a9dac7a4ae87becdf35af

  • SSDEEP

    98304:Uuc009atEN5lsTu7vAcJnIQEUmM1nGGqJe2OUxulDhTCGiYbFr54L6Bid09VGg5Q:Uuc39a45lr7vR9nEi1nGGqQMuLWnOoLH

  Score

  10^/10

  vidarb699ecb1aa34580fba79282dae821438defense_evasiondiscoveryevasionexecutionpersistencestealer

  • Detect Vidar Stealer

    stealer

  • Modifies security service

    evasion

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Creates new service(s)

    persistenceexecution

  • Drops file in Drivers directory

  • Sets service image path in registry

    persistence

  • Stops running service(s)

    evasionexecution

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Loads dropped DLL

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2