Overview

overview

10

Static

static

10

Samples - ...24.zip

windows11-21h2-x64

1

Samples - ...a1.exe

windows11-21h2-x64

10

Samples - ...8b.exe

windows11-21h2-x64

10

Samples - ...c2.dll

windows11-21h2-x64

1

Samples - ...b5.exe

windows11-21h2-x64

10

Samples - ...56.exe

windows11-21h2-x64

10

Samples - ...57.exe

windows11-21h2-x64

1

Samples - ...cb.exe

windows11-21h2-x64

10

Samples - ...69.exe

windows11-21h2-x64

10

Samples - ...0c.exe

windows11-21h2-x64

10

Samples - ...9b.exe

windows11-21h2-x64

1

Samples - ...64.exe

windows11-21h2-x64

1

Samples - ...48.exe

windows11-21h2-x64

1

Samples - ...d4.exe

windows11-21h2-x64

1

Samples - ...3f.exe

windows11-21h2-x64

10

Samples - ...dd.exe

windows11-21h2-x64

10

Samples - ...3d.exe

windows11-21h2-x64

10

Samples - ...fd.exe

windows11-21h2-x64

10

Samples - ...a1.exe

windows11-21h2-x64

10

Samples - ...cc.exe

windows11-21h2-x64

10

Samples - ...51.exe

windows11-21h2-x64

10

Samples - ...8b.exe

windows11-21h2-x64

10

Samples - ...39.exe

windows11-21h2-x64

10

Samples - ...d0.exe

windows11-21h2-x64

5

Samples - ...75.exe

windows11-21h2-x64

3

Samples - ...c7.exe

windows11-21h2-x64

5

Samples - ...76.exe

windows11-21h2-x64

10

Samples - ...bc.exe

windows11-21h2-x64

10

Samples - ...b9.exe

windows11-21h2-x64

3

Samples - ...f7.exe

windows11-21h2-x64

3

Samples - ...2b.exe

windows11-21h2-x64

3

Samples - ...22.exe

windows11-21h2-x64

10

Resubmissions

10/10/2024, 02:19 UTC

241010-crx4sazhnm 10

Analysis

  • max time kernel
    74s
  • max time network
    141s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10/10/2024, 02:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Samples - 10-09-2024/44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe

  • Size

    282KB

  • MD5

    f31d21c664ded57509d1e2e1e2c73098

  • SHA1

    58abbe186f2324eca451d3866b63ceeb924d3391

  • SHA256

    44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b

  • SHA512

    5aff27d9ffb0568072f52e51679bbd9cb3c063d7bb1c3fe658c10241b633a66738d6bd7ee2111e065a1b93098bdaa1e5da6b9b8d063fe3f1ff1de7d71d32aa53

  • SSDEEP

    6144:GsbHGb3gHx2vdWxR5TjWfEvi3v+QwzmGEO:iPvoxR5WfEveSKGEO

Score
10/10
vidarcredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Signatures

  • Detect Vidar Stealer 5 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe
    "C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\FHIDAFHCBAKF" & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:848
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 10
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2448

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    205.47.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.47.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    t.me
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-us
    DNS
    ocsp.godaddy.com
    Remote address:
    8.8.8.8:53
    Request
    ocsp.godaddy.com
    IN A
    Response
    ocsp.godaddy.com
    IN CNAME
    ocsp.godaddy.com.akadns.net
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.23
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.22
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.41
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.36
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.24
  • flag-us
    DNS
    99.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ocsp.digicert.com
    Remote address:
    8.8.8.8:53
    Request
    ocsp.digicert.com
    IN A
    Response
    ocsp.digicert.com
    IN CNAME
    ocsp.edge.digicert.com
    ocsp.edge.digicert.com
    IN CNAME
    fp2e7a.wpc.2be4.phicdn.net
    fp2e7a.wpc.2be4.phicdn.net
    IN CNAME
    fp2e7a.wpc.phicdn.net
    fp2e7a.wpc.phicdn.net
    IN A
    192.229.221.95
  • flag-us
    DNS
    gacan.zapto.org
    Remote address:
    8.8.8.8:53
    Request
    gacan.zapto.org
    IN A
    Response
  • flag-us
    DNS
    ris.api.iris.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    ris.api.iris.microsoft.com
    IN A
    Response
    ris.api.iris.microsoft.com
    IN CNAME
    ris-prod.trafficmanager.net
    ris-prod.trafficmanager.net
    IN CNAME
    asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com
    asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com
    IN A
    20.234.120.54
  • flag-us
    DNS
    ctldl.windowsupdate.com
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    download.windowsupdate.com.edgesuite.net
    download.windowsupdate.com.edgesuite.net
    IN CNAME
    a767.dspw65.akamai.net
    a767.dspw65.akamai.net
    IN A
    2.23.210.83
    a767.dspw65.akamai.net
    IN A
    2.23.210.88
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.249.124.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.249.124.192.in-addr.arpa
    IN PTR
    Response
    23.249.124.192.in-addr.arpa
    IN PTR
    cloudproxy10023sucurinet
  • flag-us
    DNS
    steamcommunity.com
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    104.82.234.109
  • flag-us
    DNS
    109.234.82.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    109.234.82.104.in-addr.arpa
    IN PTR
    Response
    109.234.82.104.in-addr.arpa
    IN PTR
    a104-82-234-109deploystaticakamaitechnologiescom
  • flag-us
    DNS
    arc.msn.com
    Remote address:
    8.8.8.8:53
    Request
    arc.msn.com
    IN A
    Response
    arc.msn.com
    IN CNAME
    arc.trafficmanager.net
    arc.trafficmanager.net
    IN CNAME
    iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
    iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
    IN A
    20.223.35.26
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.236.23
  • 149.154.167.99:443
    t.me
    tls
    RegAsm.exe
    1.6kB
     17.4kB
     24
    20
  • 104.82.234.109:443
    steamcommunity.com
    tls
    RegAsm.exe
    2.3kB
     42.8kB
     40
    38
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    198 B
     90 B
     3
    1

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    663 B
     1.6kB
     10
    10

    DNS Request

    83.210.23.2.in-addr.arpa

    DNS Request

    205.47.74.20.in-addr.arpa

    DNS Request

    t.me

    DNS Response

    149.154.167.99

    DNS Request

    ocsp.godaddy.com

    DNS Response

    192.124.249.23
    192.124.249.22
    192.124.249.41
    192.124.249.36
    192.124.249.24

    DNS Request

    99.167.154.149.in-addr.arpa

    DNS Request

    ocsp.digicert.com

    DNS Response

    192.229.221.95

    DNS Request

    gacan.zapto.org

    DNS Request

    ris.api.iris.microsoft.com

    DNS Response

    20.234.120.54

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    2.23.210.83
    2.23.210.88

    DNS Request

    23.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    23.249.124.192.in-addr.arpa
    dns
    414 B
     805 B
     6
    6

    DNS Request

    23.249.124.192.in-addr.arpa

    DNS Request

    steamcommunity.com

    DNS Response

    104.82.234.109

    DNS Request

    109.234.82.104.in-addr.arpa

    DNS Request

    arc.msn.com

    DNS Response

    20.223.35.26

    DNS Request

    26.35.223.20.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.236.23

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2044-6-0x0000000000400000-0x0000000000657000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2044-10-0x0000000000400000-0x0000000000657000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2044-7-0x0000000000400000-0x0000000000657000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2044-27-0x0000000000400000-0x0000000000657000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2044-28-0x0000000000400000-0x0000000000657000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3500-0-0x000000007459E000-0x000000007459F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3500-1-0x0000000000F30000-0x0000000000F7A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/3500-13-0x0000000074590000-0x0000000074D41000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3500-29-0x0000000074590000-0x0000000074D41000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.