Overview

overview

10

Static

static

3

1e0896f056...54.exe

windows7-x64

10

1e0896f056...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e0896f0568ab4a21891cad2188a81e645c509a5818accb5321486566ab37554.exe

  • Size

    1.0MB

  • MD5

    24b3c7ec574c6ac4e05181f270604fb5

  • SHA1

    ef38f251a3d33583b78de45fbbc8794255e27bc4

  • SHA256

    1e0896f0568ab4a21891cad2188a81e645c509a5818accb5321486566ab37554

  • SHA512

    a28604fd7fa7171f6942306238d4f95c5da763e809fe8e263517f92962f2ddd6dc3afb18816e8f3ac67eb3d0c55b4626e38a8456be8366914ad98ba1c33c609f

  • SSDEEP

    24576:It4NlboWvU9Lprhz7xgRfQjh5AAC1TnHBktmgtDGM+ia4pJ98+:iXWU9N8Ih5DCZHBumgci38+

Score
10/10
vidarb5e1d5db64f9bf375f59ea81bf61b515credential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

Version

11.1

Botnet

b5e1d5db64f9bf375f59ea81bf61b515

C2

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

  • Detect Vidar Stealer 17 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e0896f0568ab4a21891cad2188a81e645c509a5818accb5321486566ab37554.exe
    "C:\Users\Admin\AppData\Local\Temp\1e0896f0568ab4a21891cad2188a81e645c509a5818accb5321486566ab37554.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3168
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Mv Mv.bat & Mv.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1708
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3156
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4160
      • C:\Windows\SysWOW64\findstr.exe
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3744
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 559571
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4336
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "SlutSimultaneouslyThosePeriods" Represents
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2752
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Prepaid + ..\Footwear + ..\Earlier + ..\Scene + ..\Weird + ..\Outlook + ..\Ba + ..\Novelty T
        3⤵
        • System Location Discovery: System Language Discovery
        PID:908
      • C:\Users\Admin\AppData\Local\Temp\559571\Propose.pif
        Propose.pif T
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\559571\Propose.pif" & rd /s /q "C:\ProgramData\GDAAKKEHDHCA" & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3576
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 10
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:316
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit

  • C:\ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\559571\Propose.pif
    Filesize

    872KB

    MD5

    18ce19b57f43ce0a5af149c96aecc685

    SHA1

    1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

    SHA256

    d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

    SHA512

    a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\559571\T
    Filesize

    539KB

    MD5

    80196f8becfbd972d8d56a1c4d6d0f57

    SHA1

    80ce255ec10c02ec737cb72e41eda5c67dcf6545

    SHA256

    a0c59f8bd63d3b6d585477051bddfc68b2df248dfed3dd5a13384027ae3acf17

    SHA512

    96697f022e2d8cc7e721e317af9d421a5ac7219ee515298e2de75859cd9354d5dafb9d586545a8e2b0b83ca8127edc5f340d11038662bfcfc03848208bbf556c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ba
    Filesize

    75KB

    MD5

    b8c2e6bab05d934445b418a4e1751669

    SHA1

    4acca4ff7a6fa8f31e0e8b797cfbb177025085e9

    SHA256

    06f8c664ae781028ad8febef4af16cca458a8d4875bf5d74b254e599e28116b5

    SHA512

    9353bc263f56b5325aaa1ea0288f60dc79d2648180202093fc4168c8ba9ddb60207640b83a5e9f4166fabff7064138b75dd6b377ede0fbd8b7a261a1c05af11a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Earlier
    Filesize

    84KB

    MD5

    7ea8491b6d3369f41889c1891d7abe90

    SHA1

    844bb3690f07bc5c23e93628a7b98c16b4b28085

    SHA256

    1bcdb8d4aa866a2d6289bd2c7d5e5cb5919a50a7dffdd4d6afe1737c0e1917e7

    SHA512

    4f9028354382d2b1bd02dd07f4126dd0a5889bb4352c53b758bf035a66923917b2acda7b336fc3e232f0901c326590ee5ac38bde37480e03cd4fabb4e7689994

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Footwear
    Filesize

    84KB

    MD5

    643d1f90bf4455751fc0696228c2ed91

    SHA1

    56958ad6d62aaddbfbd6824663a5ea6e05a39415

    SHA256

    c24fced9fe5406e2e7c751197ef9cab30fc646cb4731b1b8b52f122bfdf75c48

    SHA512

    6fe0184f3b243be9916e3348fab001a6be67fc59ffd38e1e382e1954f273c834316f8968686f5ea17ccb84651408f7e9a498662cec834a2373f71b784cfbce3c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Mv
    Filesize

    20KB

    MD5

    2120f34cc60ac2639062cda8a6c44606

    SHA1

    6e2cf65695d9702b7699a5bb2c161921891fec49

    SHA256

    020512f37707f23a5e65c85ba181cb03882e7583b4359bf47e55938398f92a5b

    SHA512

    6ca68b934d4466e7980d4531ba9d7d50bd2011fa38e44ef8286b8e388310cd2ced83d0687329ecbecfe7c6368fa0f69b0f144492b968b7a2b1e0430a78dd437e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Novelty
    Filesize

    29KB

    MD5

    99307be4fd5a8e88b987e1330910376d

    SHA1

    ea291fa530fbae78cc38f1ffa1bc231d6753168e

    SHA256

    2ee5f69b79b3f142b16a349781b3c7f54fcdd78c5c7717bf032740f71a243373

    SHA512

    cef2a076e814b72c297024ae5d11f26a602c7d1ff61223e67165cac44da65087633741df21d514e2a5d3ae9f7b289aa7080cfa21c16c8e5c7e709e82cb864bb1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Outlook
    Filesize

    67KB

    MD5

    6dcb07d948dd27e27da5bcc0e24a74f4

    SHA1

    a7c8723bab4a02874174537733742567e4dff47a

    SHA256

    6c7a2cf325f68869548607884fb1ced7c053403afd948269210f3e083ad94b95

    SHA512

    c7860d5a98e0a8e21ff6fb5c009c628486ec41fa65bacd28401fa7b062adc9ffc93ed7dd0b38deebe225357c4884c2aef73d046bee92171f8687b6574e2949b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Prepaid
    Filesize

    58KB

    MD5

    4889945a3e01c38c694b26a92bb41f95

    SHA1

    eb1ddbf42e2fcb6d59514d5e279497e0c98f31cb

    SHA256

    72f8fcb32ebca3b0fdb8f6b315ea8a223486b6795925b103c01a3772254e5c0f

    SHA512

    b75092836f1d41c827ed5445c442e47354945dc9c988dad465f657afab36ba5303d389de74a06d9ab8033e48dab928432524fe9bd357a39c52b0bc166c2bc91c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Represents
    Filesize

    5KB

    MD5

    f656313549000fdc4f0c84d2bcdc24c6

    SHA1

    056bfb8befcf8391b2d9c30f3f07f9f4f9430cd4

    SHA256

    c0f83f3e9cff6bc050ed6172e507e4ab6db1ac02e361635b903ccae35dfb41f4

    SHA512

    379258047f51ca28728b673589b8d82aa72c2ac2377ff9a445503c23d2a56329c7b17cfdcff971d5bd5c13d026a80f8286c98d7f643574ab7cbf57982c50f5cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Scene
    Filesize

    92KB

    MD5

    294e58105fbb9599db48e2145af0b2ef

    SHA1

    f42b5c8c7f28ba2ac8f0cb8d46c444b62164c118

    SHA256

    c97737fa00eb5eff8686bbf38d936fc43e714440bdbaed1a27953a8853934962

    SHA512

    446c2293715301a7d36357e8067c536b67195ab49f9d835783f09e240d646d956c3b84277cba8245125452bbc3890f91daf81cb4666e9c4f0b67d3285530ac12

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Slow
    Filesize

    867KB

    MD5

    57f1a4c06cbd56804f74d591dc7f8076

    SHA1

    0fac8241cc9b73c64043df801a06c94a4792d0c7

    SHA256

    7c7c8c50b98e0ff056860797d230d54fcc17a525411b0eff0f242dcd2453aa0d

    SHA512

    93a0583a38a2025b4f5a6a7e61bfcf5ba387cc7c06fcbeb9c3892f83564dd663b46c3c468065acfff98b58ae47d4566addcff02683c742c0687168c0ccf6b8fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Weird
    Filesize

    50KB

    MD5

    da95aa5e86d44fb4ec40d074e7c9bdb9

    SHA1

    162cec6e2662d2bb76078ccf6bafdc5cd3e0af39

    SHA256

    f83c0c1516f31f2d5fc3a055202d6d5460ca24a78f8204af177433519e8af5a3

    SHA512

    f840a0b12988da055251b792792d69e5c2a5be38a2cf1239c67ffe12361b4dd44a89bfa45fcf6d47624e68854134ec472bef81bd07d895f5129afa48492d3530

    Download Submit

  • memory/1308-34-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-80-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-33-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-31-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-45-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-46-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-47-0x000000000C7D0000-0x000000000CA2F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1308-54-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-55-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-63-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-64-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-32-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-81-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-30-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-29-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-103-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-104-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-114-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-115-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-116-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1308-117-0x00000000043E0000-0x0000000004656000-memory.dmp

    Filesize

    2.5MB

    Download