Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
26-09-2024 13:14
General
-
Target
9a30ee005b2b33436f0c5d6600507674.exe
-
Size
1.1MB
-
MD5
9a30ee005b2b33436f0c5d6600507674
-
SHA1
dae6301ecc10242b609e8b1d1d624772de14c28f
-
SHA256
cbe9ac361320c689ea74990eb5b752c63b9bfec9deeb09ce7cfaaafb6baf41ef
-
SHA512
59b0ba792acdc46a61e07cddf7a3c3d051743433062432cfef0daba33ef9ff9b5be6f2e46324ee405132fc4d282cec62fc8b79471bc184392bd5d34e814b1162
-
SSDEEP
24576:/9ZWDjMzibzyO/xkZawNwKrXsjGiYqbDxLOJDjt5r7L2rvqHq:/6DjY495kTwmXseqbD9OJXtFqvqK
Malware Config
Extracted
vidar
11
dc012f980711fe846b1fec1f4b705f4a
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Signatures
-
Detect Vidar Stealer 11 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\9a30ee005b2b33436f0c5d6600507674.exe"C:\Users\Admin\AppData\Local\Temp\9a30ee005b2b33436f0c5d6600507674.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Attack Attack.bat & Attack.bat3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3525624⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "MeantDependenceFavorSsl" Prot4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Hart + ..\Matter + ..\Sisters + ..\Safer + ..\Non + ..\Correctly + ..\Genius + ..\Grams t4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\352562\Immigrants.pifImmigrants.pif t4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KKJEBAAECBGD" & exit5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 106⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Ethiopia" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NetBoost Dynamics\NetSwift.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Ethiopia" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NetBoost Dynamics\NetSwift.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetSwift.url" & echo URL="C:\Users\Admin\AppData\Local\NetBoost Dynamics\NetSwift.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetSwift.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
540KB
MD586edbd880f76a23bbb3a7812e9b93405
SHA112bbc87ff3aabaa594f8f24d936588828980376b
SHA2560041f91833a4303a3e75e8ab7b3251b942f74f24e5f854c44aec98fbabe9557d
SHA512bb47c59b2cda429e4bad0430c400670e468ddaa47794e0685d10482012e1f6b270da6c391581b6feef94fae5067d1d24fbb3f3af1205225720fbd167e21c7294
-
Filesize
18KB
MD500aea4a8b9f3b766fd94f8f1a1b17319
SHA1fc1fb5b68f9c1272a725ce34e759e4d5504494ab
SHA25693e3afd34454d916eda100343dab99b835335244ef658bb3910e214b8e593502
SHA512aeb891407a6f478a1bb8a311f691477edb042cf34fdf14cef8d2f29d127101d469c6ea47beaa406edcb36c918c3ad6fe59771daa30342da5f853f58b84f4bb5a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
78KB
MD57ae5ac8822aa91b8be9fbb9442f1bdb8
SHA18237ee080e41d70a23b286515c2f55736d8403cf
SHA256a60f9f651521202b9843c0be82742a3581b84872029b61c563e118e3fae4822c
SHA512b4cccc6f8d93f0e94227b020c8b36c391bc103527e594d43d0d0587c792bbe9c670556772e0fa03b260c4469815cd1d2b22302262f5da22ef3bb59a4b6d3ac86
-
Filesize
60KB
MD581445707ac5434c8f1b4e0ca384f3578
SHA1103f78ccbbbaafa4141aadbb6187a7cd4484774f
SHA256bbaa32a77fc13229146a162cc80511aa4f3ea4246de5a681c6f8fd7885b477e4
SHA512d732da9b0fbdbd679785b235a06212aa42f9e10f917fc32f52c691d953243c27a7bc23fc3d1f3832d5676434ed6ff58a42722444b7254876615a26d2570fc2ad
-
Filesize
32KB
MD5ccaa26f4b425aa2163dd6b36608a98e8
SHA1930dfd31656d25e1019b300f7526fdb1b561e0b9
SHA256a4bcfb095588bce9d19743929d056ea1ea1c2ec59b3133e7204ab6786d3bbac7
SHA51250d3e491ab728e754e762bb50c5714f1da17f29c35955009618bb0b86649b96b895a9d42246b0a313688d223d005b73564293e8c00b464c23a2482a2ed818395
-
Filesize
52KB
MD5854346263a86ce44eb077c47ee00b9db
SHA1feed381febb09baf159bdf233f7cbc7070f2fb10
SHA2561cf636cada860a4bb8abc6d16b6d3ad928f80195ecafac04ae1425dbb4251bcf
SHA5127ee1a58290bae56d765b73751888fd4e3578c1711f709dd70098548738fc29d045fdb2de52a809f72742d70701130cf91c610bd8f5aeed2c39f198c435fdba78
-
Filesize
74KB
MD51056a72b26876ae6657a041d5ba79728
SHA1e85610d5afab8dbdfbdac031857869c477bf88ba
SHA256ecc9de6d16313f7a8f99571093d3e652dd59cd85529eb502868fd59b5a67fbbd
SHA51267d6ef75f41d7e165f76024aa832d1cde3b411e54e3736c74dbb5effb2fe0293ac83ee7985a44fba339ee628784647c4ec8585596d70d95369bbaafb7a838d15
-
Filesize
92KB
MD5089c3d6be114c4d86c89a54f54c26a38
SHA1da2bfb8178d464fba227a34c684fd341dd4e6857
SHA256b8b5911debd53cf89aa7a476ced7028fa71f67372b8b9bc137d477e1ca402c29
SHA5120369360e7ffa7e290b61db1bd3964e134d11b3c24ec8b4e001559327da7746853ee2277cad3edd03bb12bd8910ecb48da4d5787a2979a32e6dc7bb8d8c52acc1
-
Filesize
7KB
MD5d49d575158c071a7d97786d9090535e0
SHA17f4981401967c0233d9df348268d67bc5c332f30
SHA2563dc5d274a11deaea821a92252e018613f575e3e999c651dc45561bae9817a1e6
SHA51263c57c5caa02f24bbe074a1c7823722cf5b9b46a8f19e8ca29adecf5ae192fb4a7cfbec786477ca2db60fa057637fae3f7d3504dc72f7980f051cd58bbc1137b
-
Filesize
81KB
MD52127c81beeeff906fc84c2563dbc5677
SHA17a13814d6e45e742f2c8de3a7b35466570e1a13c
SHA2568970dfcd04d4918fb3fdf62e3c2fe274f7feb535698b4bd4a1153b29180c49fc
SHA5129be025e281eb16e2a0828134b60e273ff95d6f45de5ce99d72f3052401ed8d9ecbfd493687984ae7a477872dcd3f48df8d0630b4291d633f91b2845226564a2a
-
Filesize
865KB
MD53e9a6c5f67b99a5e92ee1c97023333fd
SHA125e1071c2b489d37e0c55c1fe1e78344a08fd0df
SHA256df3d57c52957b8f7179ec2e156917e2139aa3f31149d62b45fb9fb361f3edc87
SHA512bb77200638d28645117ca53683297144a888d7d8e9defeef082a9c97f99ac9d8795fc3c5f265c12ba8ee2f89a8286183f3712f6a0493a31432d472779dde20e4
-
Filesize
71KB
MD54ce2961be4eb3e17fcd5956bb5f76b0c
SHA18a186e94de25817744eac203f3465694ade54cc3
SHA256eff6a194566835c2118761fbd2e636fb4a2f3a6e13bcaa0e9a9c19ffe5b393c4
SHA512ec4799c9670f24f2518e3a5dfa95f7adc6a96f5f2ed00d49c36efde3da7f8363c0fb6842d738c23017d4200b90bc2b3b0bbe7c503514c37afbc31a5421e28b56
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB