Overview

overview

10

Static

static

3

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2024 04:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    202KB

  • MD5

    64179e64675e822559cac6652298bdfc

  • SHA1

    cceed3b2441146762512918af7bf7f89fb055583

  • SHA256

    c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9

  • SHA512

    ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280

  • SSDEEP

    3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw

Score
10/10
vidara5215640c3d06b049aee58cc78e4057ddiscoverystealer

Malware Config

Extracted

Family

vidar

Version

8.3

Botnet

a5215640c3d06b049aee58cc78e4057d

C2

https://78.47.78.87

https://steamcommunity.com/profiles/76561199651834633

https://t.me/raf6ik
Attributes
  • profile_id_v2

    a5215640c3d06b049aee58cc78e4057d

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Signatures

  • Detect Vidar Stealer 2 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Suspicious use of SetThreadContext 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Users\Admin\AppData\Local\Temp\GraphicsFillRect.au3
        C:\Users\Admin\AppData\Local\Temp\GraphicsFillRect.au3
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2456
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 128
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7b4b4b2b
    Filesize

    6.8MB

    MD5

    dd1b8432caff27d5cdc3014d28284c33

    SHA1

    185e5e09ece937964fe1b2689c00a3b294f33ca5

    SHA256

    b7ed972a3c15cff447f8af48e38e0858f9a9133e434d2bd35d616f7a6c4d6895

    SHA512

    46d0b2f1b7f73c0095a786638fbefb8fc004742f612ef9753c3f396167f9b097d687e7c08f1fb2e9105ea24b2c661ee72cdbafd81c61fc18b7ad2427481f3ef3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\GraphicsFillRect.au3
    Filesize

    925KB

    MD5

    0162a97ed477353bc35776a7addffd5c

    SHA1

    10db8fe20bbce0f10517c510ec73532cf6feb227

    SHA256

    15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

    SHA512

    9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

    Download Submit

  • memory/2376-12-0x0000000074691000-0x00000000746A3000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2376-0-0x0000000077590000-0x0000000077739000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2376-9-0x00000000746A2000-0x00000000746A3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2376-10-0x0000000074691000-0x00000000746A3000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2456-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2456-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2456-27-0x00000000006D0000-0x0000000000E18000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/2456-34-0x00000000006D0000-0x0000000000E18000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/2536-13-0x0000000074690000-0x0000000074804000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2536-15-0x0000000077590000-0x0000000077739000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2536-17-0x0000000074690000-0x0000000074804000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2536-18-0x0000000074690000-0x0000000074804000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2536-25-0x0000000074690000-0x0000000074804000-memory.dmp

    Filesize

    1.5MB

    Download