Analysis

  • max time kernel
    34s
  • max time network
    38s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-10-2024 16:18

General

  • Target

    res.js

  • Size

    4KB

  • MD5

    440c1565f02140aa1b10af7a682d0bd6

  • SHA1

    c1b8cd858d6656bd63f78cde6479d55c45bc25d5

  • SHA256

    d58a43177a96c7ba99b18b092b2328e0d1992bb6297f9d88c07479a57d1b960d

  • SHA512

    cf9199c3d39f970e4b6e42e14945b87f7bf99551a034c8eca5bc039b9328b081fd31efe4c772fef4aa0e87b7255b8a02230ee86ef95c4d67e71b9818c0012ac0

  • SSDEEP

    96:C7qdfKkxWtLqSXpd5mokVew2e3jzwuuHC0MPF6XBm5YaWxMR4GTBMh8lCfIxj6fQ:VrsIYXmoqMe3bEdMt6sY7e4GTrv9VV

Malware Config

Extracted

Family

vidar

Version

11.1

Botnet

65158feadb3cebfa5c9a9e36f0d461fe

C2

https://t.me/fun88rockskek

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

  • Detect Vidar Stealer 4 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 40 IoCs
  • Suspicious use of SendNotifyMessage 40 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\res.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:5600
    • C:\Users\Admin\AppData\Local\Temp\tp3host.exe
      "C:\Users\Admin\AppData\Local\Temp\tp3host.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3748
      • C:\Users\Admin\AppData\Local\Temp\tp3host.exe
        "C:\Users\Admin\AppData\Local\Temp\tp3host.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4828
  • C:\Windows\System32\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:5204

Network

  • flag-us
    DNS
    giantowl.flywheelsites.com
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    giantowl.flywheelsites.com
    IN A
    Response
    giantowl.flywheelsites.com
    IN A
    151.101.2.159
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    ctldl.windowsupdate.com
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    download.windowsupdate.com.edgesuite.net
    download.windowsupdate.com.edgesuite.net
    IN CNAME
    a767.dspw65.akamai.net
    a767.dspw65.akamai.net
    IN A
    2.23.210.83
    a767.dspw65.akamai.net
    IN A
    2.23.210.88
  • flag-us
    DNS
    159.2.101.151.in-addr.arpa
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    159.2.101.151.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ocsp.comodoca.com
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.comodoca.com
    IN A
    Response
    ocsp.comodoca.com
    IN CNAME
    ocsp.comodoca.com.cdn.cloudflare.net
    ocsp.comodoca.com.cdn.cloudflare.net
    IN A
    104.18.38.233
    ocsp.comodoca.com.cdn.cloudflare.net
    IN A
    172.64.149.23
  • flag-us
    DNS
    ocsp.usertrust.com
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.usertrust.com
    IN A
    Response
    ocsp.usertrust.com
    IN CNAME
    ocsp.comodoca.com.cdn.cloudflare.net
    ocsp.comodoca.com.cdn.cloudflare.net
    IN A
    172.64.149.23
    ocsp.comodoca.com.cdn.cloudflare.net
    IN A
    104.18.38.233
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    233.38.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    233.38.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    233.38.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    233.38.18.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    23.149.64.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.149.64.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.149.64.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.149.64.172.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    t.me
    tp3host.exe
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-us
    DNS
    99.167.154.149.in-addr.arpa
    tp3host.exe
    Remote address:
    8.8.8.8:53
    Request
    99.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ocsp.godaddy.com
    tp3host.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.godaddy.com
    IN A
    Response
    ocsp.godaddy.com
    IN CNAME
    ocsp.godaddy.com.akadns.net
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.22
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.36
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.23
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.41
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.24
  • flag-us
    DNS
    ocsp.godaddy.com
    tp3host.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.godaddy.com
    IN A
  • flag-us
    DNS
    ocsp.godaddy.com
    tp3host.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.godaddy.com
    IN A
  • flag-us
    DNS
    ocsp.godaddy.com
    tp3host.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.godaddy.com
    IN A
  • flag-us
    DNS
    ocsp.godaddy.com
    tp3host.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.godaddy.com
    IN A
  • 151.101.2.159:443
    giantowl.flywheelsites.com
    tls
    wscript.exe
    191.9kB
    5.4MB
    3887
    3879
  • 149.154.167.99:443
    t.me
    tls
    tp3host.exe
    1.4kB
    6.7kB
    16
    11
  • 8.8.8.8:53
    giantowl.flywheelsites.com
    dns
    wscript.exe
    546 B
    1.0kB
    8
    7

    DNS Request

    giantowl.flywheelsites.com

    DNS Response

    151.101.2.159

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    2.23.210.83
    2.23.210.88

    DNS Request

    159.2.101.151.in-addr.arpa

    DNS Request

    ocsp.comodoca.com

    DNS Response

    104.18.38.233
    172.64.149.23

    DNS Request

    ocsp.usertrust.com

    DNS Response

    172.64.149.23
    104.18.38.233

    DNS Request

    83.210.23.2.in-addr.arpa

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    233.38.18.104.in-addr.arpa
    dns
    144 B
    134 B
    2
    1

    DNS Request

    233.38.18.104.in-addr.arpa

    DNS Request

    233.38.18.104.in-addr.arpa

  • 8.8.8.8:53
    23.149.64.172.in-addr.arpa
    dns
    144 B
    134 B
    2
    1

    DNS Request

    23.149.64.172.in-addr.arpa

    DNS Request

    23.149.64.172.in-addr.arpa

  • 8.8.8.8:53
    t.me
    dns
    tp3host.exe
    433 B
    415 B
    7
    3

    DNS Request

    t.me

    DNS Response

    149.154.167.99

    DNS Request

    99.167.154.149.in-addr.arpa

    DNS Request

    ocsp.godaddy.com

    DNS Request

    ocsp.godaddy.com

    DNS Request

    ocsp.godaddy.com

    DNS Request

    ocsp.godaddy.com

    DNS Request

    ocsp.godaddy.com

    DNS Response

    192.124.249.22
    192.124.249.36
    192.124.249.23
    192.124.249.41
    192.124.249.24

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tp3host.exe

    Filesize

    5.0MB

    MD5

    6733924c670207ed7755dc0fe2286c36

    SHA1

    2fea9c1b0c3b0a923232dbcadcfc661bb08031d0

    SHA256

    a555018ed03a0b191f64f625b75cebd9f62c194c7b1c1a66b91266f2f1c1b6c4

    SHA512

    692d642223ddcff9e75e0d76437fbc760f9a356609fc4c3cccdddbdeb453f2bf04ce8438c3820b4445c320840a28f86215da880f1d8fe96dc9f65567e4505e67

  • memory/3748-34-0x0000000000400000-0x0000000000919000-memory.dmp

    Filesize

    5.1MB

  • memory/3748-33-0x0000000000400000-0x0000000000919000-memory.dmp

    Filesize

    5.1MB

  • memory/3748-35-0x0000000000400000-0x0000000000919000-memory.dmp

    Filesize

    5.1MB

  • memory/3748-39-0x0000000000400000-0x0000000000919000-memory.dmp

    Filesize

    5.1MB

  • memory/3748-38-0x0000000000400000-0x0000000000919000-memory.dmp

    Filesize

    5.1MB

  • memory/3748-36-0x0000000000400000-0x0000000000919000-memory.dmp

    Filesize

    5.1MB

  • memory/4828-41-0x0000000000920000-0x0000000000B96000-memory.dmp

    Filesize

    2.5MB

  • memory/4828-37-0x0000000000920000-0x0000000000B96000-memory.dmp

    Filesize

    2.5MB

  • memory/5204-32-0x00000282C2060000-0x00000282C2061000-memory.dmp

    Filesize

    4KB

  • memory/5204-26-0x00000282C2060000-0x00000282C2061000-memory.dmp

    Filesize

    4KB

  • memory/5204-27-0x00000282C2060000-0x00000282C2061000-memory.dmp

    Filesize

    4KB

  • memory/5204-28-0x00000282C2060000-0x00000282C2061000-memory.dmp

    Filesize

    4KB

  • memory/5204-29-0x00000282C2060000-0x00000282C2061000-memory.dmp

    Filesize

    4KB

  • memory/5204-30-0x00000282C2060000-0x00000282C2061000-memory.dmp

    Filesize

    4KB

  • memory/5204-31-0x00000282C2060000-0x00000282C2061000-memory.dmp

    Filesize

    4KB

  • memory/5204-22-0x00000282C2060000-0x00000282C2061000-memory.dmp

    Filesize

    4KB

  • memory/5204-21-0x00000282C2060000-0x00000282C2061000-memory.dmp

    Filesize

    4KB

  • memory/5204-20-0x00000282C2060000-0x00000282C2061000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.