Overview

overview

10

Static

static

3

1bc68d708e...28.exe

windows7-x64

10

1bc68d708e...28.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 06:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bc68d708e953bf10bbf6744a6b91b28.exe

  • Size

    959KB

  • MD5

    1bc68d708e953bf10bbf6744a6b91b28

  • SHA1

    a6938a273e7a82cf4909ca40d224a6430f6a2860

  • SHA256

    9c46859695bed9bd827e2292e634c39e2982f40d9be6b170d185ae154a1a6a5f

  • SHA512

    d402f564fc707cdfd6b0853da5c70f0fe7b87e933ce4ff27b28325497dc70439db82bb02c12ed7f1ed804ee3730278117302489c645efbade654f7a9bbd48a06

  • SSDEEP

    24576:2aTm8nQDF5o5nsuru7m/vQ4MYTsPP+1b3PqfRQ2/9:7pQR2RszOQ4JgPYb3YR/9

Score
10/10
vidar583ba11aa826bd4d97a3a14cb18c8facdiscoverystealer

Malware Config

Extracted

Family

vidar

Version

11.5

Botnet

583ba11aa826bd4d97a3a14cb18c8fac

C2

https://t.me/gos90t

https://steamcommunity.com/profiles/76561199800374635
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

  • Detect Vidar Stealer 5 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bc68d708e953bf10bbf6744a6b91b28.exe
    "C:\Users\Admin\AppData\Local\Temp\1bc68d708e953bf10bbf6744a6b91b28.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Ra Ra.bat & Ra.bat
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1644
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1256
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2392
      • C:\Windows\SysWOW64\findstr.exe
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1716
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 436117
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1936
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "NuclearRemarksReliabilityComputation" Young
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2356
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Ky + ..\Appears + ..\Educators + ..\Images + ..\Driver + ..\Generations + ..\Lol v
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1980
      • C:\Users\Admin\AppData\Local\Temp\436117\Mother.pif
        Mother.pif v
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1560
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\436117\Mother.pif" & rd /s /q "C:\ProgramData\AEBAFBGIDHCB" & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 10
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2728
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\436117\v
    Filesize

    435KB

    MD5

    7df1dbcdf8a4e466d1de8c37e037a3b6

    SHA1

    48b543c6e57eaeb31182d8156a4e1b4a10c63626

    SHA256

    fa5df192ad32bf8d2894a42a3d4da71d8095b815a0ae35cd1c96274540741216

    SHA512

    0c51dbbb2dc4cad2a0008854f98d335505fac2d432349f3f0a7b43025b7a6388fcb0b26b088993d814f89405598b507a109fd77d2ac432e9da805727f4a73315

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Appears
    Filesize

    53KB

    MD5

    c5573f90c6d3acdf359d137009ecf238

    SHA1

    735942b7b1048344942109f71c200bc6e0291c52

    SHA256

    e51f1f69861837446d756f6cb863c4a8b6b1cf4d89b604a02cae79bd05230e23

    SHA512

    5a971247f0ae4a37568b2ee8c84f32ae62a443b323fc0e63d422861575c52c9134870ff1ba4e73937ace29fda2bfd656b2d84fe88f89a22c7311a265df0344b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab42EC.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Driver
    Filesize

    98KB

    MD5

    a97be012e03c4adb9383b78b56857e04

    SHA1

    804675871b186b4608746b41181d9c8035e8daf2

    SHA256

    76e970842b79b21169b2c2a4a78467b686b56828072a863201ec0b00ed5d8367

    SHA512

    3da11ec6f76b47fc625f98e66828cfed1a5d429508a08c57a2207298cf8d39351fa0e257cae54ed4b92e27a6c8d3592be2304b8393b5a18a38d0b8648f0f2903

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Educators
    Filesize

    76KB

    MD5

    67ad7fcd7d2cc18081670270833faf90

    SHA1

    ad6286a0ad9b8e97c74aee1157fa2e3784fe6f51

    SHA256

    18d43ed8eb3f314af1e3d7a910686aa9866b0991af1fc68291c4e96b69ad3128

    SHA512

    b5bd93d90798435721cb24a4758ce251377e338b53ad387bbbccbce0ecfc413f9612d0bf749851be72de15c3d093ea13c2bbb5347ce67973ccb999da11c89272

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Generations
    Filesize

    54KB

    MD5

    a416958f4ce3467bc4a4885c89650c63

    SHA1

    d47a69cba5a83fa4ded5fe6e1243ffdef62768e2

    SHA256

    76b3187698ac2a4bec709e28d0ff790955bcf2298174844070342f0b9e13409b

    SHA512

    5a4205384f8ec6f8db8fcafd521b04cc6370960e5951e03fc87cb7b25fa79e58f828a0b7bc623ee3adaf19858c9b7cd82c385ec3eec2bd1d9c0fd26ddbda7845

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Images
    Filesize

    59KB

    MD5

    dff732c8188d88453492ea60753f1c6a

    SHA1

    606941677da5b05f7a7d05b8cf67b8d030ea1004

    SHA256

    84725ab57a34dff97906eb1528f4beb008a09c3b5ff280acce3f3baed38c9b3c

    SHA512

    2329726cfd62c2eb55aa636a21e2932a896df17aa0b76b6ae3a1ea58e9a2e8dcbbdd93222bb068e095a9e536630b23cb579406b90800f5aae3ab3b8aa50ff42b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ky
    Filesize

    72KB

    MD5

    8a238b75196c747ec0df18c80c159f5f

    SHA1

    d22a286d0ee37507af1cd8c9184bdae37235836f

    SHA256

    dbed8da0208234bb370dc2d0e28dff1110aeb02ec7f1d18df6511777e6565d9b

    SHA512

    5b6fcda80821f61d46dcc5ae4618eb6278640f54a8573a097b0fbafbe466c16f292a42613916d5f84e66043e2f21e939b7a8d457b08e13778e464aa4f45cba96

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Lol
    Filesize

    23KB

    MD5

    6d927fd0532e71575944f4b1dcbb1523

    SHA1

    6ac1dc59fea4db99fbd653cabd548742536b1f52

    SHA256

    1430b10f35b6dc0cf7720c049644ed24f09a988e913bcf933f375e6747b68426

    SHA512

    70047a74ebaadd1fe0176ed7622831d95350b9836d50614c4f57be2962677d6e2131385c920c24808e38b4332aacbe19d3d82fd7c4a85fbcafe782d709545ce0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Purchased
    Filesize

    859KB

    MD5

    a8901d6fc635950edcc6b5929837aab9

    SHA1

    709d5b08b7851afd26a58ac1e3d934e795ba4b92

    SHA256

    84717869488d3d39419e4f460b019b0996a0ff5ade09267ae90e2238c3f29ff2

    SHA512

    ac61f8c611b38d455026872eb28be2f993cf741e60538d1bbeb2bdde08be89aa08a3f11a6544d9a36c0cad3a5f175f7af0e0d5798371f8398481b4ced09ebe54

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ra.bat
    Filesize

    27KB

    MD5

    26b1281e56dc4459d424a42114a81646

    SHA1

    380a5fb5deb1f47f893c4d1d66b32cd895f6f631

    SHA256

    45933188786c2486dd71305748224f8675c9141fdbd9ecaca4051563b94434f1

    SHA512

    fecd98e3b1e63c1852763ddaf10f13b5bf50d5019a4e9685448d4f8eef08433d4221fdbc974683a28aca5698ddfe3befb987654d1650f27042a5f5f0538fc7ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar430E.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Young
    Filesize

    13KB

    MD5

    d028d659aa8f3a0cb70a5e1135c4864b

    SHA1

    6b64391eecd363cfdf66016121c031b422dedde3

    SHA256

    49b41333efdea958c04b064c9306dfe491b0e40f258bca87383380db72590294

    SHA512

    9668b8e3027a11733173a284ddaab25635e283343d364b28fa7b45957b918aab1ec16c831e29f64ba4916cc6a605810d72ca93041754c36d0b909bc98d900269

    Download Submit

  • \Users\Admin\AppData\Local\Temp\436117\Mother.pif
    Filesize

    872KB

    MD5

    18ce19b57f43ce0a5af149c96aecc685

    SHA1

    1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

    SHA256

    d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

    SHA512

    a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

    Download Submit

  • memory/1560-632-0x0000000003500000-0x0000000003759000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1560-634-0x0000000003500000-0x0000000003759000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1560-636-0x0000000003500000-0x0000000003759000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1560-635-0x0000000003500000-0x0000000003759000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1560-631-0x0000000003500000-0x0000000003759000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1560-633-0x0000000003500000-0x0000000003759000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1560-687-0x0000000003500000-0x0000000003759000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1560-688-0x0000000003500000-0x0000000003759000-memory.dmp

    Filesize

    2.3MB

    Download