General
-
Target
HEU_KMS_Activator_30.4.0.exe
-
Size
7.5MB
-
Sample
241003-vqhxkswhnq
-
MD5
fa8414423461fbc180cd6bb1ddce0943
-
SHA1
e47d1c1bbf202bcbfc887801833ebb6ba28b03ed
-
SHA256
9a97197ab32aa3645c3c6e2862aec79d04c7aec015e33ab7589df6c9001f61a0
-
SHA512
d62af6118880cc457b21b1749fcdde5353bd761993aaa84822897732be219fb229680ca6402338fde5f4436778aa68d24a88da120fce95ac109112273ab58a1f
-
SSDEEP
196608:NvGacofn0nk/6RGU+cu6xYDcUT+GXGMVPNBvLDA:Nveof0nid5cu6mDhyirTA
Static task
static1
Behavioral task
behavioral1
Sample
HEU_KMS_Activator_30.4.0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
HEU_KMS_Activator_30.4.0.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
vidar
11
7e6c13833126d03adc9573b3325d5542
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Targets
-
-
Target
HEU_KMS_Activator_30.4.0.exe
-
Size
7.5MB
-
MD5
fa8414423461fbc180cd6bb1ddce0943
-
SHA1
e47d1c1bbf202bcbfc887801833ebb6ba28b03ed
-
SHA256
9a97197ab32aa3645c3c6e2862aec79d04c7aec015e33ab7589df6c9001f61a0
-
SHA512
d62af6118880cc457b21b1749fcdde5353bd761993aaa84822897732be219fb229680ca6402338fde5f4436778aa68d24a88da120fce95ac109112273ab58a1f
-
SSDEEP
196608:NvGacofn0nk/6RGU+cu6xYDcUT+GXGMVPNBvLDA:Nveof0nid5cu6mDhyirTA
-
Detect Vidar Stealer
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4