Analysis
-
max time kernel
94s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
27-09-2024 01:48
General
-
Target
d0e75a424812f8b899626795c8b929c40fdcbf09a0b7445d159f82256b896acf.exe
-
Size
1.1MB
-
MD5
dcf197da548e85d911ce6d40222b3592
-
SHA1
2b5e353c214eaa0bbd7adfe00ff4c9f1cf9467ae
-
SHA256
d0e75a424812f8b899626795c8b929c40fdcbf09a0b7445d159f82256b896acf
-
SHA512
26f28dd0f88c5f912b29495912eecc06cfcdb000a591b6a53cf85c6000c3e3dbad871750b7d4167e1657044c3efdc8576d0b3b5512814991c9d0f7c7d9ba0ef3
-
SSDEEP
24576:ynY49QOH6CG9C4iF2QyxdipXdbJDNPF1jskplLqh:+9Qe6Q5eqXdzjso+
Malware Config
Extracted
vidar
11
8804a4f27e22750a8baa49e881ddca35
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Signatures
-
Detect Vidar Stealer 13 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0e75a424812f8b899626795c8b929c40fdcbf09a0b7445d159f82256b896acf.exe"C:\Users\Admin\AppData\Local\Temp\d0e75a424812f8b899626795c8b929c40fdcbf09a0b7445d159f82256b896acf.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Kai Kai.bat & Kai.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7145893⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "MonkeyBeginningHurricanePhi" Underground3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Witness + ..\Currency + ..\Eating + ..\Salary + ..\Nn + ..\Derived + ..\Preceding + ..\Journalism + ..\Disk E3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\714589\Customized.pifCustomized.pif E3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AKKEGDGCGDAK" & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 153⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
556KB
MD57e076317cbf3a858e3c9212973e2f097
SHA1c141ced1a594bb884b1a20c4951803d0a7758d19
SHA256d628ab6fed244c3647c61b3e732f0e703a3fa4743acef7195432c82820c638ee
SHA5125451358aa0881ce3cf727613cce1f05de04a2596ddc0a0ef17fb292b96ab6a44e2c5b9199d8c3f2130c9d13a6dd358edd18b6a17b8e108032185aa9ae0693dd6
-
Filesize
67KB
MD53a7ffa480f5a95618ca94e3bede7ef49
SHA1a347de07221ea14e1f9365415c4c44d94a3d7fe1
SHA256a8b3b54920b0a0ec9de07cdc5466bb935c036a9a9f74f9754d73b4dcacd6a4e0
SHA51292daaef0fdfd0f01ee8b8d76391f472248854d77786689e978173a40e9a0b320640213894bdf9957e085c5dffe6efc501e8159790b4a6fc391492ad6c40fa59f
-
Filesize
62KB
MD5c1722e295486c39e8a6c495e30833548
SHA1f90cb101556da5f33295c2c506f955b0a28a2796
SHA2563676a175fd271647bcc581dbb2b2a251d743c8cab1b314be4e59d8961de82670
SHA5121f51df60f507322f006fdc4fd71f4b04b073d987d74b462302a3fb5f3de0ecb27a35b95b08fde6cc8b06ae4c207970af3b7d1cc8b434bba688f3cf8f1cca7d1d
-
Filesize
31KB
MD50fd559ecc83e2e5b6c188706dd9c6605
SHA10979e2a5bb61af38fb2b96679329369d933578aa
SHA2568dfbb4f6e9c31307c52c5e3a651fa9efcacad037bceb2ade9334828c17cbf624
SHA512d6d81a08c9d09d179c631a5ae9e009a87d6a9a3ae344b05eebd79e5a450dca54064d23abfc2abefe8a5583a7a2aa3a14721fa29f542c525ecbf9176c88e8cc2f
-
Filesize
70KB
MD56b6d0daaf2e2b0bb8c038ac8929cbea9
SHA1df3fa63a5100d037001df3a0fc4163abd219caa6
SHA256ecb6f9d84e7286bb7469002412d7dd412a2054d7a50097a4ef6a077760008ad1
SHA512a945f0a3d183ef5f9e666a7e12d480d382053317bcbb0f4098eb24eafe2eb15da49049466272538052f2eb3996dba96994c652a57318af1132462bdabccd03d5
-
Filesize
55KB
MD5a7c21ab489b74c9a4f40c505f6711115
SHA159902ad3a002ff535debf4f485ba2009ccc8e5f2
SHA25613075e0da95f422d9efe8e94ca7f1a2f5a96ba4a554841c36b6cd8dffde62186
SHA512edb647146c48529638bb1384392a585e266d8010d3203a1d205513f531dbd445c9c8c48e67c5237e1f9850b777f78c07c87915e3a9e0dd685173d190ce223a5a
-
Filesize
6KB
MD51cfc0bfcc63ecb66955810d78c8ab9df
SHA18167201291df4b2bb1e7f2f3a25fb097e21ccbe7
SHA25623da1694cf2b4c78b8892474570730e82ddffc5735f52bf66569b213d3336adb
SHA51252155b80d6dd7d57c385a7a8eb8b50205bb04869d859ddf6d8b821a724ae048afc007075dcb12a68cdebe5ad5f65e0897ca1db0cb34ad4386544fdf58520cd00
-
Filesize
51KB
MD5b83099cfd81555debac577303ccc341d
SHA17c0119c64ba05d309d5426aa72742f5136d1641d
SHA256ce19859df840b5a4b0fcdc502fe72594c9d83fc3f806977681da4feaf64fdccd
SHA51247a4addbc2bb22151161e64fc4efe2920dfedb85447672f3c8c9e5375126adfbba2f8fd8a93585b77f91f82daef41c3c5c2ecd797ba5c04a435408b2ce52dbf8
-
Filesize
866KB
MD59b886d1a5cfff94ef7e521cc3a2fa3aa
SHA1676f46425fab154e13e3bf865e2cda71067698fe
SHA256221620dbeaf26314144a1ae497350712a8e0a36065e11c0fcc3412778678dd52
SHA512d6bd8c09b310a5e44ae6c4291a4e62bf980077f1182fffe84889b926d9622bd2e73ac01a1d3b6d25aed217ab99d03702ec729987d35be86251aa531dd39d8354
-
Filesize
65KB
MD5793ed06a8e8ba983c092e212c94d20d6
SHA164fdc8a1e1dae0f4277c5726a96fe674c19d65e4
SHA25612178b0d792c73876b6f1de751f991a54a6e780f9d365d3aa3f52e818a97d8ac
SHA51279122e92ef9dabc99a2a7c6005950092286a26c8a81b5976fe180b12ba8e7dc42f019cdf3613e86d47b24eeb090ea63cc1c74759fe26dc8c44d2488575eedc17
-
Filesize
66KB
MD573f67839a4b58616dee1f3b7637d6dfb
SHA116bbe261fef8e01a00df3456613d9bbb79ae23e8
SHA2560f310c0f53973a599e3a4c624bf49a80972aed4290a852e1c60f2c0f0e70141f
SHA512db3ca1959bc199bc0a0b682c7c5ae096252cdbf719e925f2b829324784c1753d967422f06f2669f7df72947a738e594ffeddef5f50c457912ac2a41e4ed26932
-
Filesize
5KB
MD5782a9f4e9e951843131f5979638a5110
SHA1f102551be0d0ee2dc898ff32213abb8851a91d77
SHA2562ac5ed64782b041619d2e02dcecac604d3bd6a0fcc55af9a42d09840bcb158d2
SHA512f2cdcffcf640c140fb2b2e2004ab2b98bcb0d67907eb8cf444fd5cfd682eb71569b0eb6133b98489bf5d8fc460ed58c94f9dc96f778c2a4101a702d6c09187ec
-
Filesize
89KB
MD5302d25f9de9076cf214a2ca37cff2b3d
SHA1306afde78a87fbb4176a956791ad937fdb1631d7
SHA2565b9656a921e8981edd45aa3f26dc8850b65a902ef23d2a1fbba8cf6e71b8fdc8
SHA51234fec3b91f11b8ae05e9604dac8d592e9d46194573a784e6deffa4d8ae2357de28d893997fe62309bd47cbd0709afb666ff61e5829423f2389b9a9d988984942
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB