Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 06:15
Static task
static1
Behavioral task
behavioral1
Sample
1bc68d708e953bf10bbf6744a6b91b28.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1bc68d708e953bf10bbf6744a6b91b28.exe
Resource
win10v2004-20241007-en
General
-
Target
1bc68d708e953bf10bbf6744a6b91b28.exe
-
Size
959KB
-
MD5
1bc68d708e953bf10bbf6744a6b91b28
-
SHA1
a6938a273e7a82cf4909ca40d224a6430f6a2860
-
SHA256
9c46859695bed9bd827e2292e634c39e2982f40d9be6b170d185ae154a1a6a5f
-
SHA512
d402f564fc707cdfd6b0853da5c70f0fe7b87e933ce4ff27b28325497dc70439db82bb02c12ed7f1ed804ee3730278117302489c645efbade654f7a9bbd48a06
-
SSDEEP
24576:2aTm8nQDF5o5nsuru7m/vQ4MYTsPP+1b3PqfRQ2/9:7pQR2RszOQ4JgPYb3YR/9
Malware Config
Extracted
vidar
11.5
583ba11aa826bd4d97a3a14cb18c8fac
https://t.me/gos90t
https://steamcommunity.com/profiles/76561199800374635
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Signatures
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral2/memory/2404-632-0x00000000043D0000-0x0000000004629000-memory.dmp family_vidar_v7 behavioral2/memory/2404-633-0x00000000043D0000-0x0000000004629000-memory.dmp family_vidar_v7 behavioral2/memory/2404-634-0x00000000043D0000-0x0000000004629000-memory.dmp family_vidar_v7 behavioral2/memory/2404-651-0x00000000043D0000-0x0000000004629000-memory.dmp family_vidar_v7 behavioral2/memory/2404-650-0x00000000043D0000-0x0000000004629000-memory.dmp family_vidar_v7 -
Vidar family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 1bc68d708e953bf10bbf6744a6b91b28.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Mother.pif -
Executes dropped EXE 1 IoCs
pid Process 2404 Mother.pif -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2972 tasklist.exe 1384 tasklist.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\DirectiveTommy 1bc68d708e953bf10bbf6744a6b91b28.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bc68d708e953bf10bbf6744a6b91b28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mother.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Mother.pif Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Mother.pif -
Delays execution with timeout.exe 1 IoCs
pid Process 3208 timeout.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2404 Mother.pif 2404 Mother.pif 2404 Mother.pif 2404 Mother.pif 2404 Mother.pif 2404 Mother.pif 2404 Mother.pif 2404 Mother.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2972 tasklist.exe Token: SeDebugPrivilege 1384 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2404 Mother.pif 2404 Mother.pif 2404 Mother.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2404 Mother.pif 2404 Mother.pif 2404 Mother.pif -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4768 wrote to memory of 336 4768 1bc68d708e953bf10bbf6744a6b91b28.exe 82 PID 4768 wrote to memory of 336 4768 1bc68d708e953bf10bbf6744a6b91b28.exe 82 PID 4768 wrote to memory of 336 4768 1bc68d708e953bf10bbf6744a6b91b28.exe 82 PID 336 wrote to memory of 2972 336 cmd.exe 88 PID 336 wrote to memory of 2972 336 cmd.exe 88 PID 336 wrote to memory of 2972 336 cmd.exe 88 PID 336 wrote to memory of 2240 336 cmd.exe 89 PID 336 wrote to memory of 2240 336 cmd.exe 89 PID 336 wrote to memory of 2240 336 cmd.exe 89 PID 336 wrote to memory of 1384 336 cmd.exe 90 PID 336 wrote to memory of 1384 336 cmd.exe 90 PID 336 wrote to memory of 1384 336 cmd.exe 90 PID 336 wrote to memory of 1992 336 cmd.exe 91 PID 336 wrote to memory of 1992 336 cmd.exe 91 PID 336 wrote to memory of 1992 336 cmd.exe 91 PID 336 wrote to memory of 4132 336 cmd.exe 92 PID 336 wrote to memory of 4132 336 cmd.exe 92 PID 336 wrote to memory of 4132 336 cmd.exe 92 PID 336 wrote to memory of 2484 336 cmd.exe 93 PID 336 wrote to memory of 2484 336 cmd.exe 93 PID 336 wrote to memory of 2484 336 cmd.exe 93 PID 336 wrote to memory of 1900 336 cmd.exe 94 PID 336 wrote to memory of 1900 336 cmd.exe 94 PID 336 wrote to memory of 1900 336 cmd.exe 94 PID 336 wrote to memory of 2404 336 cmd.exe 95 PID 336 wrote to memory of 2404 336 cmd.exe 95 PID 336 wrote to memory of 2404 336 cmd.exe 95 PID 336 wrote to memory of 3712 336 cmd.exe 96 PID 336 wrote to memory of 3712 336 cmd.exe 96 PID 336 wrote to memory of 3712 336 cmd.exe 96 PID 2404 wrote to memory of 4072 2404 Mother.pif 102 PID 2404 wrote to memory of 4072 2404 Mother.pif 102 PID 2404 wrote to memory of 4072 2404 Mother.pif 102 PID 4072 wrote to memory of 3208 4072 cmd.exe 104 PID 4072 wrote to memory of 3208 4072 cmd.exe 104 PID 4072 wrote to memory of 3208 4072 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bc68d708e953bf10bbf6744a6b91b28.exe"C:\Users\Admin\AppData\Local\Temp\1bc68d708e953bf10bbf6744a6b91b28.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Ra Ra.bat & Ra.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:2240
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
PID:1992
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4361173⤵
- System Location Discovery: System Language Discovery
PID:4132
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "NuclearRemarksReliabilityComputation" Young3⤵
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Ky + ..\Appears + ..\Educators + ..\Images + ..\Driver + ..\Generations + ..\Lol v3⤵
- System Location Discovery: System Language Discovery
PID:1900
-
-
C:\Users\Admin\AppData\Local\Temp\436117\Mother.pifMother.pif v3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\436117\Mother.pif" & rd /s /q "C:\ProgramData\HIIDGCGCBFBA" & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3208
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:3712
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
435KB
MD57df1dbcdf8a4e466d1de8c37e037a3b6
SHA148b543c6e57eaeb31182d8156a4e1b4a10c63626
SHA256fa5df192ad32bf8d2894a42a3d4da71d8095b815a0ae35cd1c96274540741216
SHA5120c51dbbb2dc4cad2a0008854f98d335505fac2d432349f3f0a7b43025b7a6388fcb0b26b088993d814f89405598b507a109fd77d2ac432e9da805727f4a73315
-
Filesize
53KB
MD5c5573f90c6d3acdf359d137009ecf238
SHA1735942b7b1048344942109f71c200bc6e0291c52
SHA256e51f1f69861837446d756f6cb863c4a8b6b1cf4d89b604a02cae79bd05230e23
SHA5125a971247f0ae4a37568b2ee8c84f32ae62a443b323fc0e63d422861575c52c9134870ff1ba4e73937ace29fda2bfd656b2d84fe88f89a22c7311a265df0344b2
-
Filesize
98KB
MD5a97be012e03c4adb9383b78b56857e04
SHA1804675871b186b4608746b41181d9c8035e8daf2
SHA25676e970842b79b21169b2c2a4a78467b686b56828072a863201ec0b00ed5d8367
SHA5123da11ec6f76b47fc625f98e66828cfed1a5d429508a08c57a2207298cf8d39351fa0e257cae54ed4b92e27a6c8d3592be2304b8393b5a18a38d0b8648f0f2903
-
Filesize
76KB
MD567ad7fcd7d2cc18081670270833faf90
SHA1ad6286a0ad9b8e97c74aee1157fa2e3784fe6f51
SHA25618d43ed8eb3f314af1e3d7a910686aa9866b0991af1fc68291c4e96b69ad3128
SHA512b5bd93d90798435721cb24a4758ce251377e338b53ad387bbbccbce0ecfc413f9612d0bf749851be72de15c3d093ea13c2bbb5347ce67973ccb999da11c89272
-
Filesize
54KB
MD5a416958f4ce3467bc4a4885c89650c63
SHA1d47a69cba5a83fa4ded5fe6e1243ffdef62768e2
SHA25676b3187698ac2a4bec709e28d0ff790955bcf2298174844070342f0b9e13409b
SHA5125a4205384f8ec6f8db8fcafd521b04cc6370960e5951e03fc87cb7b25fa79e58f828a0b7bc623ee3adaf19858c9b7cd82c385ec3eec2bd1d9c0fd26ddbda7845
-
Filesize
59KB
MD5dff732c8188d88453492ea60753f1c6a
SHA1606941677da5b05f7a7d05b8cf67b8d030ea1004
SHA25684725ab57a34dff97906eb1528f4beb008a09c3b5ff280acce3f3baed38c9b3c
SHA5122329726cfd62c2eb55aa636a21e2932a896df17aa0b76b6ae3a1ea58e9a2e8dcbbdd93222bb068e095a9e536630b23cb579406b90800f5aae3ab3b8aa50ff42b
-
Filesize
72KB
MD58a238b75196c747ec0df18c80c159f5f
SHA1d22a286d0ee37507af1cd8c9184bdae37235836f
SHA256dbed8da0208234bb370dc2d0e28dff1110aeb02ec7f1d18df6511777e6565d9b
SHA5125b6fcda80821f61d46dcc5ae4618eb6278640f54a8573a097b0fbafbe466c16f292a42613916d5f84e66043e2f21e939b7a8d457b08e13778e464aa4f45cba96
-
Filesize
23KB
MD56d927fd0532e71575944f4b1dcbb1523
SHA16ac1dc59fea4db99fbd653cabd548742536b1f52
SHA2561430b10f35b6dc0cf7720c049644ed24f09a988e913bcf933f375e6747b68426
SHA51270047a74ebaadd1fe0176ed7622831d95350b9836d50614c4f57be2962677d6e2131385c920c24808e38b4332aacbe19d3d82fd7c4a85fbcafe782d709545ce0
-
Filesize
859KB
MD5a8901d6fc635950edcc6b5929837aab9
SHA1709d5b08b7851afd26a58ac1e3d934e795ba4b92
SHA25684717869488d3d39419e4f460b019b0996a0ff5ade09267ae90e2238c3f29ff2
SHA512ac61f8c611b38d455026872eb28be2f993cf741e60538d1bbeb2bdde08be89aa08a3f11a6544d9a36c0cad3a5f175f7af0e0d5798371f8398481b4ced09ebe54
-
Filesize
27KB
MD526b1281e56dc4459d424a42114a81646
SHA1380a5fb5deb1f47f893c4d1d66b32cd895f6f631
SHA25645933188786c2486dd71305748224f8675c9141fdbd9ecaca4051563b94434f1
SHA512fecd98e3b1e63c1852763ddaf10f13b5bf50d5019a4e9685448d4f8eef08433d4221fdbc974683a28aca5698ddfe3befb987654d1650f27042a5f5f0538fc7ad
-
Filesize
13KB
MD5d028d659aa8f3a0cb70a5e1135c4864b
SHA16b64391eecd363cfdf66016121c031b422dedde3
SHA25649b41333efdea958c04b064c9306dfe491b0e40f258bca87383380db72590294
SHA5129668b8e3027a11733173a284ddaab25635e283343d364b28fa7b45957b918aab1ec16c831e29f64ba4916cc6a605810d72ca93041754c36d0b909bc98d900269