Overview

overview

10

Static

static

3

Controlled...xe.zip

windows7-x64

10

Controlled...xe.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    70s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25-10-2024 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ControlledAccessPoint.exe.zip

  • Size

    466KB

  • MD5

    1e2053d4cfc688bc63973f3d18b1e00f

  • SHA1

    7529e740ae73ea65b507e68c2cad107725f78ad6

  • SHA256

    baea231a54de7cc9e3d2613f313eaeefde8fc62ae66e283d7e15e887d2d8d7e6

  • SHA512

    b7ced408d342b7948fe07aa18915724492d2dfafbdca4a8e4369959aafbcde8af88c34b0e76877486d15a66a41cb79407cdaa83cedf7092f59d1cac6d8f5286d

  • SSDEEP

    6144:s8dj8NusAbUE04vKVvFnpvyakp3+NbOmAEH6kB7/yQB/2LTMqaPvncVq:s8GNn204vKrpvypR66mAEPB7/YMP3oq

Score
10/10
vidar2ee1445fc63bc20d0e7966867b13e0e1discoverystealer

Malware Config

Extracted

Family

vidar

Version

11

Botnet

2ee1445fc63bc20d0e7966867b13e0e1

C2

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

  • Detect Vidar Stealer 9 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ControlledAccessPoint.exe.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2860
  • C:\Users\Admin\Desktop\ControlledAccessPoint.exe
    "C:\Users\Admin\Desktop\ControlledAccessPoint.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2620
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" & rd /s /q "C:\ProgramData\JJJDGIECFCAK" & exit
        3⤵
          PID:2352
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 10
            4⤵
            • Delays execution with timeout.exe
            PID:1628
    • C:\Users\Admin\Desktop\ControlledAccessPoint.exe
      "C:\Users\Admin\Desktop\ControlledAccessPoint.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
          PID:544
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          2⤵
            PID:2448
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" & rd /s /q "C:\ProgramData\HCFBKKEBKEBG" & exit
              3⤵
                PID:1516
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 10
                  4⤵
                  • Delays execution with timeout.exe
                  PID:2368

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\76561199780418869[1].htm
            Filesize

            34KB

            MD5

            79484b40d4965b09b00712dd7a4348f8

            SHA1

            e619c7c4d58a3b9eb081b3318fcf489bcea1232a

            SHA256

            3c5da67f1d90082f231a4d6b5238edf6c3904ebd661f8c0584b9b1bd6f3355d6

            SHA512

            af620379e3dc5d97b8926256ec7667f9e49ec524d9f147f8bdd0b620cc332a52ad60afb69b8c926b70e7439efa40f6332b2ddf2fb46fdfaa50936d60b92cd262

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Cab3A06.tmp
            Filesize

            70KB

            MD5

            49aebf8cbd62d92ac215b2923fb1b9f5

            SHA1

            1723be06719828dda65ad804298d0431f6aff976

            SHA256

            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

            SHA512

            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Tar3AD4.tmp
            Filesize

            181KB

            MD5

            4ea6026cf93ec6338144661bf1202cd1

            SHA1

            a1dec9044f750ad887935a01430bf49322fbdcb7

            SHA256

            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

            SHA512

            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

            Download Submit

          • C:\Users\Admin\Desktop\ControlledAccessPoint.exe
            Filesize

            594KB

            MD5

            f275736a38a6b90825076e8d786ad5c5

            SHA1

            c0d862ceab728736580f043316cdc099b2ab8924

            SHA256

            b48eeab60494eb44d8d5ef10a87fd46ad1aa33fdcf7245efb636f69f2fd55f42

            SHA512

            b6662ee0426b45c5629808718613a687808deeaca692bb00d26ac5c9098b8a36a126ef80eca470db085aa5a84e38a9ee088a165cea821bf1226055a4fd842711

            Download Submit

          • memory/2448-94-0x0000000000400000-0x0000000000676000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/2448-93-0x0000000000400000-0x0000000000676000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/2448-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2620-18-0x0000000000400000-0x0000000000676000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/2620-21-0x0000000000400000-0x0000000000676000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/2620-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2620-10-0x0000000000400000-0x0000000000676000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/2620-22-0x0000000000400000-0x0000000000676000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/2620-12-0x0000000000400000-0x0000000000676000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/2620-14-0x0000000000400000-0x0000000000676000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/2620-16-0x0000000000400000-0x0000000000676000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/2620-90-0x0000000000400000-0x0000000000676000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/2620-91-0x0000000000400000-0x0000000000676000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/2620-8-0x0000000000400000-0x0000000000676000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/2632-5-0x000000001B520000-0x000000001B596000-memory.dmp

            Filesize

            472KB

            Download

          • memory/2632-4-0x0000000000280000-0x000000000031A000-memory.dmp

            Filesize

            616KB

            Download