Analysis
-
max time kernel
292s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
-
submitted
26-09-2024 22:37
General
-
Target
48ac733e00c61226d506c26f12f6fdec6b67f3dd0a9f3a5dc6720c4096f8c0c8.exe
-
Size
1.3MB
-
MD5
8f13e73a3c7d22ee7c1730cf8821f7ac
-
SHA1
25858c26c6b10cd55a2f388fcc9325eb8ee75a00
-
SHA256
48ac733e00c61226d506c26f12f6fdec6b67f3dd0a9f3a5dc6720c4096f8c0c8
-
SHA512
6c8e22f964551c80cd812ca58024ed9c3440510cfa5369308c450599feb533fd14a667a872b39b9bfdec3ec69a815ba0998e11c4fbf73edad3d5e938f9388e81
-
SSDEEP
24576:49U8qvoywyFnBcbOag/NDV4poKsYbe8QaqLhc88HbAw5MfPlB4T5N71xwm:4m8qvoypnBcbOag/QoPYbe8Qw8fwGHlk
Malware Config
Extracted
vidar
11
91ac6183dbe67a7c09b11e88fb5493b8
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Signatures
-
Detect Vidar Stealer 9 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\48ac733e00c61226d506c26f12f6fdec6b67f3dd0a9f3a5dc6720c4096f8c0c8.exe"C:\Users\Admin\AppData\Local\Temp\48ac733e00c61226d506c26f12f6fdec6b67f3dd0a9f3a5dc6720c4096f8c0c8.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Older Older.bat & Older.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2446443⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "startsvoltruvisible" Vanilla3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Fx + ..\Sides + ..\Executive + ..\Jc + ..\Door + ..\Pts + ..\Started + ..\Mastercard N3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\244644\Caused.pifCaused.pif N3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\IIJEBFCFIJ.exe"C:\ProgramData\IIJEBFCFIJ.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGDGDHJJDGHC" & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD5af6e384dfabdad52d43cf8429ad8779c
SHA1c78e8cd8c74ad9d598f591de5e49f73ce3373791
SHA256f327c2b5ab1d98f0382a35cd78f694d487c74a7290f1ff7be53f42e23021e599
SHA512b55ba87b275a475e751e13ec9bac2e7f1a3484057844e210168e2256d73d9b6a7c7c7592845d4a3bf8163cf0d479315418a9f3cb8f2f4832af88a06867e3df93
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
545KB
MD52f9adb1cf6e93e4da3d602c0d48643ef
SHA134f43bb62632452a1de3fd983515f735bcc3c96a
SHA256ccbc6f5ceb4cd4799f7b18d3ddcabcca989518dc1638cdc554527ecb386172ec
SHA5125d8a3ad8df0c67d7a8772c7d5d2e43a303a5ddc10a9a5db9b62422fd2e9a363ee5f1085b6e4d6c58d338036f6395c833a04abe0129619d5dbf72cae2bcb1f40b
-
Filesize
58KB
MD5a83b356cb3091a822ae558503bec0e81
SHA1d22895742f8754ba14e993568e9de6a2d482023d
SHA256e65e3c0954be3035581254959c1ed778179d03cd34e6ad55a0f548b4c3b75aea
SHA512b77696c7bbd1fd7a3b05b2da008040ae997ff16021f39bdd292aad11d7fdcdde86de7c8b6fabf8e72a82a20189b868d638d8f39f91d9b57f197de9836d0e9311
-
Filesize
87KB
MD57196bd557f712406896af3a294854ec7
SHA1a02abc5c3195a66d55d55edfa5e65e96d7ba4dea
SHA256b516639ecf4b1442552857afff153e161d11c58220090496dc55f823695e1651
SHA51244e41c9bedd2e5cdb3f09c0757546dc4a5e71b4aee21f4deba24593ae4d5f490a0b11261f162074f105826b19c86639a35f8700c41acb3bb63d782196e84e26c
-
Filesize
84KB
MD54c11277283eff4e61ebe7c3c0c9b7932
SHA13a322ad2cd458ad75bf41466a4c0c79090b12c9c
SHA2562fd771e75ed3075d6d0c4c58670fe557bcc844e3ef3d8751e0a68306186f6e55
SHA5128ee744f807c03ae6c01394654cb42ab8f023dbd23abf36253e2d6eb5da336da900e4abe74ad5c725567090410a5337074bd67c511b6222eb22f4f54fed8c265c
-
Filesize
865KB
MD560330a0c955c3d7909c6397557dc11f4
SHA11666b670a6c5a6713753f48f03da8b66747bd9f8
SHA256f8cabdf37c7566d3e0c6cf011ba968da0fb779c270241e2719dcf5ff1122dab9
SHA51216debffa5080b95ba5f037565678db6a2eeeb0b5fa7ce84a4fac1e839f559fc7a13e01828db2f5227b8723ec6aa9b5fdf43e2c39f2591e27cad5825aca84fe76
-
Filesize
66KB
MD50aaa7223fca864daa48039c5a7a70b27
SHA18d6ed70ec5eec87231a8121fddb731c105be4d22
SHA25699ef2cb58432d21e2f406c9e4e2a3436a14102ef4a7a45bec4c9fed191e6302c
SHA5129ca7f42911175619dae94c6e492ba1241239cfba41d666b1e9c3bffe30f83275679f6d67ba8e7fcd8bec3ac06b898e4797797a9e65261df78253c22f58f1c9b8
-
Filesize
40KB
MD525f854a3b28adf8e8b37c4d3951797c6
SHA164675978a35669a4ce06e9f273e5fdf5c3a49322
SHA2567aa8cf51ae643db5cf02b08662a7e0afeec273645c887f2f484b11fa91e055bd
SHA51286dc5a8af320733e934fc1ed06db52389d6e1f82f4958201c68e7bc685c51ae3eb55508809c03870a0f6ff40b5ef01ef6d6ad5cbe9c692b91c50c2f98d918484
-
Filesize
20KB
MD5d10dbebda909afbfa6ffc40a44acc62d
SHA1a2becc064d4ddcc82520ab09b8b4583b346f93c9
SHA2561fa255357ad948b071e3a605ee4158c8ae5ea9adc1c4e6c94a8ea875481e96eb
SHA51229200341e3490dba217ea39b6e373960028e82e94bb9a8cb0a9f7e9452abf0544a75110a0822fce1c76a30d82719b3addf64a52adaa32d1d0782a6beb61d2fdf
-
Filesize
56KB
MD51edf95a608f35b125a2a9c29f290be47
SHA15be8f957392bf583b1852fa164d34a47c6f610b7
SHA256718e9e97d32df03fcc4e055418b8023c2e6ccfb3402cc5e63d34baaa4dbaace6
SHA51297fab27b50ee445b9a69e4f9d72ad9bb6664cdb4ecfbff558dce1519df6fe401225d535f9934060b0edf225418f983329b1f0d1fbe11cdabfb0ee9fdcc64e6f8
-
Filesize
76KB
MD593a4a8b90f4c995291f4adb787282970
SHA19122a34f131c168ade197279169f625f7ca59f83
SHA256117d0ccc3325686395f029a4579a5c29e3867a27b9e01139757212d425013106
SHA5124bc7e28a89066b20414d83511deb40c3f734cb7bd07863ae6ce31368bc103812ff84cdfc5ba11b9171d357706d29db0afb8a94089246dc682366395527cd0aed
-
Filesize
78KB
MD5fb83cd37486912dc467f78cf5ae252fb
SHA18928e18f47f0aadd42144fddd0abd0cb1ea63955
SHA256500d2c2b0ef4896710b96299c2ccd7eff7e6b6d14f2e8b01d43ef5b9c5034177
SHA5125ac7c08595777a1ea36797227732b573bb55f8cedb1b21ceb81b17c393f1b16470ed96cb8d7ff5a838fa751ff354c028ccb63538589dfa5167358f1a7d701b2a
-
Filesize
7KB
MD51f6e1d942f7115c326067899f9721c13
SHA1a6b8b6c1cdd21562c0e76ef08aecfc7c927d9cee
SHA25620c4c1a15cbfc9168c797ac279475f88e2041f67a459471fddc3c947b4c7229e
SHA512b9c913a3c5ee8315c4d978cb97e4545cf12d88f93bbe0bd2692c020461356fb2756588c8cf5a5c6b58ef1510d2436626ecd3b5b48ce1a83417705e3f70022abe
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB