Overview

overview

10

Static

static

1

Informatio...al.scr

windows7-x64

10

Informatio...al.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Information for personal.scr

  • Size

    637.4MB

  • MD5

    09c4080e5ce3d0a7df482dbef36d5092

  • SHA1

    8835b4032559719e0c5cc304131f26adcbb5bc46

  • SHA256

    12a91b2e82c707d31d51479f96465fa74dc599c457a1ed07cd747cf5bf164d9f

  • SHA512

    d3284853ad3cb260cddbe78e93cb014b023a34342c33734ead05e359fd908b7108783d119e0d474917d7413db5ddc1f54a3c8ad39bd05be8f3428e22d1cab898

  • SSDEEP

    49152:7jVgiG8hT8cm8U2zkpdt0n/s0YRZHPm4poP2UkCsPt/u:7jimF84UJoE0YRZvm4pk2U/Ahu

Score
10/10
vidarec6d0fe132303eea00070f2f87282a2dcredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

Version

6.6

Botnet

ec6d0fe132303eea00070f2f87282a2d

C2

https://t.me/bowbrain

https://steamcommunity.com/profiles/76561199572358993
Attributes
  • profile_id_v2

    ec6d0fe132303eea00070f2f87282a2d

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.48 uacq

Signatures

  • Detect Vidar Stealer 3 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Information for personal.scr
    "C:\Users\Admin\AppData\Local\Temp\Information for personal.scr" /S
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Information for personal.scr" & del "C:\ProgramData\*.dll"" & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1912-20-0x000000002A300000-0x000000002A53A000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1912-21-0x000000002A300000-0x000000002A53A000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1912-22-0x000000002A300000-0x000000002A3F0000-memory.dmp

    Filesize

    960KB

    Download