Overview

overview

10

Static

static

1

ts.js

windows11-21h2-x64

10

Analysis

  • max time kernel
    46s
  • max time network
    39s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-10-2024 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ts.js

  • Size

    4KB

  • MD5

    ed3b56e4275b4a0ed7b7b0b7bd7461c6

  • SHA1

    404efc9a3c6be253546f9ad0cc6b61df5efbf091

  • SHA256

    848296488fd185d3621c274420d9e59b974734234ec4e420bc11820f26c732a6

  • SHA512

    7bc3684177b1ec80b3e7895522f29996a706a3215314307726c9ecaab65b5525936725bf41d876fdd575e9dd583d6cc1e02ca9fed2988418d4cf33fb8d3f208a

  • SSDEEP

    96:dCkwnKuF0idLODzNXkv6YxiMjip1PDpmMjDqVoV7bKD8Ngr:fwndTdCDz1SLxixp1PPjD9btNgr

Score
10/10
vidarcredential_accessdiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

vidar

Version

8

Extracted

Family

vidar

C2

https://t.me/fun88rockskek

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

  • Detect Vidar Stealer 6 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Uses browser remote debugging 2 TTPs 4 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 53 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ts.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Users\Admin\AppData\Local\Temp\tp3host.exe
      "C:\Users\Admin\AppData\Local\Temp\tp3host.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Users\Admin\AppData\Local\Temp\tp3host.exe
        "C:\Users\Admin\AppData\Local\Temp\tp3host.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1280
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
          4⤵
          • Uses browser remote debugging
          • Drops file in Windows directory
          • Enumerates system info in registry
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4176
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa3f42cc40,0x7ffa3f42cc4c,0x7ffa3f42cc58
            5⤵
              PID:480
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,4353045656861500519,10637332231974655303,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1972 /prefetch:2
              5⤵
                PID:4908
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,4353045656861500519,10637332231974655303,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2008 /prefetch:3
                5⤵
                  PID:2236
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,4353045656861500519,10637332231974655303,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:8
                  5⤵
                    PID:2112
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,4353045656861500519,10637332231974655303,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
                    5⤵
                    • Uses browser remote debugging
                    PID:1108
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,4353045656861500519,10637332231974655303,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3284 /prefetch:1
                    5⤵
                    • Uses browser remote debugging
                    PID:3120
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4204,i,4353045656861500519,10637332231974655303,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4476 /prefetch:1
                    5⤵
                    • Uses browser remote debugging
                    PID:1724
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,4353045656861500519,10637332231974655303,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4696 /prefetch:8
                    5⤵
                      PID:4208
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4648,i,4353045656861500519,10637332231974655303,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:8
                      5⤵
                        PID:1316
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4704,i,4353045656861500519,10637332231974655303,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:8
                        5⤵
                          PID:2756
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4608,i,4353045656861500519,10637332231974655303,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
                          5⤵
                            PID:4312
                  • C:\Windows\System32\Taskmgr.exe
                    "C:\Windows\System32\Taskmgr.exe"
                    1⤵
                    • Checks SCSI registry key(s)
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:1916
                  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                    1⤵
                      PID:2936
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                      1⤵
                        PID:3736

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\ProgramData\chrome.dll
                        Filesize

                        676KB

                        MD5

                        eda18948a989176f4eebb175ce806255

                        SHA1

                        ff22a3d5f5fb705137f233c36622c79eab995897

                        SHA256

                        81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

                        SHA512

                        160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                        Filesize

                        649B

                        MD5

                        ab7da25719724b1e87afb2e4865a91a0

                        SHA1

                        7e7c19935b264c9481b55b97d781b16b9aa47558

                        SHA256

                        1cbe37dfc6f97b92f905b66b13e44dd4dd8103d8cefc24f5605bc0c1691a7159

                        SHA512

                        a561bf393810a4ebd078d61977403664fa91d51ec84ab09be7a90b794182dcdf2f496940e8c149fe1abe46867d6a3464bddd800b21838b03145f9a9ccfc4bbfe

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                        Filesize

                        2B

                        MD5

                        d751713988987e9331980363e24189ce

                        SHA1

                        97d170e1550eee4afc0af065b78cda302a97674c

                        SHA256

                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                        SHA512

                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tp3host.exe
                        Filesize

                        5.0MB

                        MD5

                        fb08f2cb20523c34a7c01e2f565774a1

                        SHA1

                        212f6bb39ab33ea61abaf69e35da3449db39d1d8

                        SHA256

                        9a42637e8c5229a0b84c28892e030c5b9d07cd32ccb5bdc0cc6f0633113c8fe2

                        SHA512

                        c7e650e8b7d4f1ece36f1dd1427ee200ed824a032ea6b3452a5f3f68edca4605f5f94c5ee2730dcc9016c8d8fea355fddf2d47aecdf23e574cd431307d0d143d

                        Download Submit

                      • memory/1280-105-0x0000000000920000-0x0000000000C20000-memory.dmp

                        Filesize

                        3.0MB

                        Download

                      • memory/1280-55-0x0000000019A90000-0x0000000019CEF000-memory.dmp

                        Filesize

                        2.4MB

                        Download

                      • memory/1280-53-0x0000000000920000-0x0000000000C20000-memory.dmp

                        Filesize

                        3.0MB

                        Download

                      • memory/1280-41-0x0000000000920000-0x0000000000C20000-memory.dmp

                        Filesize

                        3.0MB

                        Download

                      • memory/1280-37-0x0000000000920000-0x0000000000C20000-memory.dmp

                        Filesize

                        3.0MB

                        Download

                      • memory/1508-36-0x0000000000400000-0x000000000091F000-memory.dmp

                        Filesize

                        5.1MB

                        Download

                      • memory/1508-39-0x0000000000400000-0x000000000091F000-memory.dmp

                        Filesize

                        5.1MB

                        Download

                      • memory/1508-33-0x0000000000400000-0x000000000091F000-memory.dmp

                        Filesize

                        5.1MB

                        Download

                      • memory/1508-35-0x0000000000400000-0x000000000091F000-memory.dmp

                        Filesize

                        5.1MB

                        Download

                      • memory/1508-34-0x0000000000400000-0x000000000091F000-memory.dmp

                        Filesize

                        5.1MB

                        Download

                      • memory/1508-38-0x0000000000400000-0x000000000091F000-memory.dmp

                        Filesize

                        5.1MB

                        Download

                      • memory/1916-29-0x000001E0DB440000-0x000001E0DB441000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1916-28-0x000001E0DB440000-0x000001E0DB441000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1916-31-0x000001E0DB440000-0x000001E0DB441000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1916-32-0x000001E0DB440000-0x000001E0DB441000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1916-26-0x000001E0DB440000-0x000001E0DB441000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1916-27-0x000001E0DB440000-0x000001E0DB441000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1916-30-0x000001E0DB440000-0x000001E0DB441000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1916-20-0x000001E0DB440000-0x000001E0DB441000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1916-21-0x000001E0DB440000-0x000001E0DB441000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1916-22-0x000001E0DB440000-0x000001E0DB441000-memory.dmp

                        Filesize

                        4KB

                        Download