Overview

overview

10

Static

static

1

TradingVie...b).zip

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 12:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TradingView_Premium_Desktop_(password_github).zip

  • Size

    135.3MB

  • MD5

    22422d62b7a227bb310ece165bc91063

  • SHA1

    8e56d4ee4c2102ba952d5ea46915aa465da1c6d6

  • SHA256

    a6aac404891cb48e8f3a0f578b52be41422fb751e9d4d00f0115296b157c2890

  • SHA512

    76db140bd39165ee6a778559467579e707b740bbf9c374806fd937f7518a0dc56fc10eaaf19949fb9133818b4b657882d18abfb131ca7d1ef5a14c92c5079f3b

  • SSDEEP

    3145728:uph//jwxAQNKfMd8RGT0YrAqMlKYN3RAPX/Ms0TlrRJ7vQ:ChjwTrekT0YrAJIYon0TZQ

Score
10/10
vidarcredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Detect Vidar Stealer 8 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\TradingView_Premium_Desktop_(password_github).zip
    1⤵
      PID:4664
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3348
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\TradingView_Premium_Desktop_(password_github)\" -spe -an -ai#7zMap23839:170:7zEvent13113
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3168
      • C:\Users\Admin\AppData\Local\Temp\TradingView_Premium_Desktop_(password_github)\TradingView Premium Desktop.exe
        "C:\Users\Admin\AppData\Local\Temp\TradingView_Premium_Desktop_(password_github)\TradingView Premium Desktop.exe"
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4776
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EHIDAKECFIEB" & exit
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 10
            3⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:3904
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /0
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1812
      • C:\Users\Admin\AppData\Local\Temp\TradingView_Premium_Desktop_(password_github)\TradingView Premium Desktop.exe
        "C:\Users\Admin\AppData\Local\Temp\TradingView_Premium_Desktop_(password_github)\TradingView Premium Desktop.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4400
      • C:\Users\Admin\AppData\Local\Temp\TradingView_Premium_Desktop_(password_github)\TradingView Premium Desktop.exe
        "C:\Users\Admin\AppData\Local\Temp\TradingView_Premium_Desktop_(password_github)\TradingView Premium Desktop.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:212
      • C:\Users\Admin\Downloads\w\TradingView Premium Desktop.exe
        "C:\Users\Admin\Downloads\w\TradingView Premium Desktop.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        PID:4784
      • C:\Users\Admin\Downloads\w\TradingView Premium Desktop.exe
        "C:\Users\Admin\Downloads\w\TradingView Premium Desktop.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        PID:1172

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\FBFCGIDAKECG\HJDAKF
        Filesize

        20KB

        MD5

        066a537b995fe292f153bf37fa7386f2

        SHA1

        c63888164ad71f8b619d22bffb3348d7d4f386ee

        SHA256

        4c0eb0dbe16a4ed706ca649c8e220fda74472fd5275cdbd2fab2bcf17eb34a89

        SHA512

        3c68949672b34ef560518721e034883758ac2248bbb1fcd390477494cb4b319d709a8bcad1376428f8d96736c3406677a10512eb59ec804f8ee0970fe3780c08

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
        Filesize

        471B

        MD5

        932a53c8f40fe40a68ceb03eec999118

        SHA1

        18e8d6eb94d23d7d3509318bcb5312069fd1ddbf

        SHA256

        72a781ad178dcc1a694e056987a851efc5bd747863d01ff2969c3c40e16904f0

        SHA512

        98bd8d6b7182131f05552699767f0d13c3d3777ba6973b35c674477a9bd224dd47829d6c9d809a74310277649ce3b851c8b0cdf9b1c266b104835c18f28fa808

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
        Filesize

        400B

        MD5

        09488b6c127f70dc9c53594fcd60f6d0

        SHA1

        06687788503598d32d834a1b26937408314755f0

        SHA256

        0b5046ed8a90b3ffc9229d7b4e7f0bf6e65499d015ef723f41a0b071d5ddbc16

        SHA512

        019b52a92b9096100d57179669148ba02429c8b6444b4d57e2402584533d3dc424c01a60e61985fd116f8fca2bb85afe86e4b2cc3f74ba87c20e9c37fca7705a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3DWZNJ32\76561199786602107[1].htm
        Filesize

        34KB

        MD5

        c40bf04025e97c07cd2f0eb965ddfb4f

        SHA1

        c5904446e2906035106601334c8dc8a7370b79a2

        SHA256

        d3a923d6f5dbc66bf8deefdc0407d495ce027d32ccd7a1b7781b3e43297fab07

        SHA512

        3bf27f45eddbd483912b5764a72084e6f02d35733805fdac19da46fb0c1ad7800b49099620975de146682e60720b08fed19ab299497dc5f49aa1bf6678c40050

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3DWZNJ32\76561199786602107[1].htm
        Filesize

        34KB

        MD5

        b2fbcaba7aeea0b14284bf9f6003565e

        SHA1

        5ffb0b471c475347b6e7b6eb5d653fded662ad19

        SHA256

        a74eb34b63e8dd80ac74df07ab1a4456732cdd91d43be7dbf0a54bfacbc70ec3

        SHA512

        d1e1d7225f9f8d0ce16b04eaf68a25f8a6808dc792fefabb3709ad4806b95ba31b8ab51244c0ff3dcda5ede1711778399dee969a0bd7b9877f89a69bdc2483b1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\76561199786602107[1].htm
        Filesize

        34KB

        MD5

        febaf3bd6d46d72b01ed76303494e7db

        SHA1

        30b5814b00c34ae66a5f4879622b0638fd4e34c7

        SHA256

        3ae027b8b746ffe07074dc4484f96acef84d9fb590d44c08595ae47a4e508bea

        SHA512

        de0fd21ba3027fc0a7dbe0cb2ab0a8e2de8146b6e6ea5adfd889b00aa8da47062424150edf23b39b9e69b4c52361f7fdeed907d861c5379a8a25c7d54fb6a4d6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\76561199786602107[1].htm
        Filesize

        34KB

        MD5

        2b604569499993eda5717c9317502747

        SHA1

        168a16584f0e7e7cf8519138740c48658405d695

        SHA256

        9c5262981a74a71b22049a3c4c168847d7d3893007f30e9256490ed4a031e0a6

        SHA512

        d66c4db82009d958f6fe08c5ac212b17c8c5c38726c797480263b295c42d6a1bd2d6d275184209858797456cdc9fe573e524bdbe7a0310983c4f3997cdfd5fb1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YB8IB6GH\76561199786602107[1].htm
        Filesize

        34KB

        MD5

        0b1d5432bdebc0b195ecdcb2a10a0d7d

        SHA1

        2fb9b2e0f89750b8119e81f429c76d0fbe91941f

        SHA256

        1cfb2402299a34eadc5be0059a155dd4a8480ba807200b13495afaf677f510af

        SHA512

        93745f5a678ba611fc224879b7dad6996c62fdf026177f269cbe950234edfcb6a8d0830dd1b68ea7012073a071dc8ceca929294fb27e1c741d9cdf2e61b42047

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TradingView_Premium_Desktop_(password_github)\KeyFile\1049\sharedmanagementobjects_keyfile.dll
        Filesize

        23KB

        MD5

        5e54cb9759d1a9416f51ac1e759bbccf

        SHA1

        1a033a7aae7c294967b1baba0b1e6673d4eeefc6

        SHA256

        f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948

        SHA512

        32dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664

        Download Submit

      • memory/212-531-0x0000000000670000-0x0000000001A1B000-memory.dmp

        Filesize

        19.7MB

        Download

      • memory/212-512-0x0000000000670000-0x0000000001A1B000-memory.dmp

        Filesize

        19.7MB

        Download

      • memory/212-507-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/212-506-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/212-505-0x0000000001B50000-0x0000000001B51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/212-504-0x0000000000670000-0x0000000001A1B000-memory.dmp

        Filesize

        19.7MB

        Download

      • memory/1172-588-0x0000000000670000-0x0000000001A1B000-memory.dmp

        Filesize

        19.7MB

        Download

      • memory/1812-454-0x00000179CB280000-0x00000179CB281000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1812-463-0x00000179CB280000-0x00000179CB281000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1812-462-0x00000179CB280000-0x00000179CB281000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1812-461-0x00000179CB280000-0x00000179CB281000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1812-460-0x00000179CB280000-0x00000179CB281000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1812-464-0x00000179CB280000-0x00000179CB281000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1812-465-0x00000179CB280000-0x00000179CB281000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1812-459-0x00000179CB280000-0x00000179CB281000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1812-455-0x00000179CB280000-0x00000179CB281000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1812-453-0x00000179CB280000-0x00000179CB281000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4400-474-0x0000000004370000-0x0000000004371000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4400-479-0x0000000004430000-0x0000000004431000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4400-480-0x0000000004440000-0x0000000004441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4400-481-0x0000000000670000-0x0000000001A1B000-memory.dmp

        Filesize

        19.7MB

        Download

      • memory/4400-478-0x0000000004420000-0x0000000004421000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4400-477-0x0000000004410000-0x0000000004411000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4400-476-0x0000000004400000-0x0000000004401000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4400-502-0x0000000000670000-0x0000000001A1B000-memory.dmp

        Filesize

        19.7MB

        Download

      • memory/4400-475-0x0000000004380000-0x0000000004381000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-393-0x0000000000670000-0x0000000001A1B000-memory.dmp

        Filesize

        19.7MB

        Download

      • memory/4776-400-0x0000000061E00000-0x0000000061EF3000-memory.dmp

        Filesize

        972KB

        Download

      • memory/4776-472-0x0000000000670000-0x0000000001A1B000-memory.dmp

        Filesize

        19.7MB

        Download

      • memory/4776-391-0x0000000004570000-0x0000000004571000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-390-0x0000000004560000-0x0000000004561000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-389-0x0000000004550000-0x0000000004551000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-388-0x0000000004540000-0x0000000004541000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-387-0x0000000004530000-0x0000000004531000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-386-0x00000000044F0000-0x00000000044F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-385-0x00000000043E0000-0x00000000043E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-384-0x0000000000670000-0x0000000001A1B000-memory.dmp

        Filesize

        19.7MB

        Download

      • memory/4784-559-0x0000000000670000-0x0000000001A1B000-memory.dmp

        Filesize

        19.7MB

        Download