Analysis
-
max time kernel
95s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 12:43
Static task
static1
Behavioral task
behavioral1
Sample
ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe
Resource
win10v2004-20241007-en
General
-
Target
ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe
-
Size
1.1MB
-
MD5
774c8215da3cb73644d36ca3f60e676b
-
SHA1
375f9c6d12374f17cd8f483c565015171b988e49
-
SHA256
ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d
-
SHA512
ceff4e53bdd23ce784be45b6ffa5598f01edaf16a800ba5fe1367b2fcc29de943d5cab9d40123ac9fc61677749b9c8b2efecb3624f05d285097bd6dc0e901207
-
SSDEEP
24576:s9y5ZBrOwXMFjy47F710L+O0WK2h4xsPxdUn6d9dZiffX6j76oy4cXW:skjrOaM97F71tbWK2h1Px06fdqCja4mW
Malware Config
Extracted
vidar
11
57a8c39f1ac1987167a282329835ec7a
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Signatures
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral2/memory/3484-32-0x0000000004DD0000-0x0000000005046000-memory.dmp family_vidar_v7 behavioral2/memory/3484-33-0x0000000004DD0000-0x0000000005046000-memory.dmp family_vidar_v7 behavioral2/memory/3484-34-0x0000000004DD0000-0x0000000005046000-memory.dmp family_vidar_v7 behavioral2/memory/3484-50-0x0000000004DD0000-0x0000000005046000-memory.dmp family_vidar_v7 behavioral2/memory/3484-51-0x0000000004DD0000-0x0000000005046000-memory.dmp family_vidar_v7 -
Vidar family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Batch.pif -
Executes dropped EXE 1 IoCs
pid Process 3484 Batch.pif -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 5028 tasklist.exe 1660 tasklist.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\PrefersTracks ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe File opened for modification C:\Windows\ConsideringAttached ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe File opened for modification C:\Windows\HoneyAmounts ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe File opened for modification C:\Windows\DevelopedSimulation ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe File opened for modification C:\Windows\CautionKnife ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Batch.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Batch.pif Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Batch.pif -
Delays execution with timeout.exe 1 IoCs
pid Process 2176 timeout.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3484 Batch.pif 3484 Batch.pif 3484 Batch.pif 3484 Batch.pif 3484 Batch.pif 3484 Batch.pif 3484 Batch.pif 3484 Batch.pif 3484 Batch.pif 3484 Batch.pif 3484 Batch.pif 3484 Batch.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5028 tasklist.exe Token: SeDebugPrivilege 1660 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3484 Batch.pif 3484 Batch.pif 3484 Batch.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3484 Batch.pif 3484 Batch.pif 3484 Batch.pif -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 264 wrote to memory of 3328 264 ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe 82 PID 264 wrote to memory of 3328 264 ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe 82 PID 264 wrote to memory of 3328 264 ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe 82 PID 3328 wrote to memory of 5028 3328 cmd.exe 86 PID 3328 wrote to memory of 5028 3328 cmd.exe 86 PID 3328 wrote to memory of 5028 3328 cmd.exe 86 PID 3328 wrote to memory of 396 3328 cmd.exe 87 PID 3328 wrote to memory of 396 3328 cmd.exe 87 PID 3328 wrote to memory of 396 3328 cmd.exe 87 PID 3328 wrote to memory of 1660 3328 cmd.exe 90 PID 3328 wrote to memory of 1660 3328 cmd.exe 90 PID 3328 wrote to memory of 1660 3328 cmd.exe 90 PID 3328 wrote to memory of 4076 3328 cmd.exe 91 PID 3328 wrote to memory of 4076 3328 cmd.exe 91 PID 3328 wrote to memory of 4076 3328 cmd.exe 91 PID 3328 wrote to memory of 4064 3328 cmd.exe 92 PID 3328 wrote to memory of 4064 3328 cmd.exe 92 PID 3328 wrote to memory of 4064 3328 cmd.exe 92 PID 3328 wrote to memory of 2588 3328 cmd.exe 93 PID 3328 wrote to memory of 2588 3328 cmd.exe 93 PID 3328 wrote to memory of 2588 3328 cmd.exe 93 PID 3328 wrote to memory of 4240 3328 cmd.exe 94 PID 3328 wrote to memory of 4240 3328 cmd.exe 94 PID 3328 wrote to memory of 4240 3328 cmd.exe 94 PID 3328 wrote to memory of 3484 3328 cmd.exe 95 PID 3328 wrote to memory of 3484 3328 cmd.exe 95 PID 3328 wrote to memory of 3484 3328 cmd.exe 95 PID 3328 wrote to memory of 3416 3328 cmd.exe 96 PID 3328 wrote to memory of 3416 3328 cmd.exe 96 PID 3328 wrote to memory of 3416 3328 cmd.exe 96 PID 3484 wrote to memory of 2316 3484 Batch.pif 100 PID 3484 wrote to memory of 2316 3484 Batch.pif 100 PID 3484 wrote to memory of 2316 3484 Batch.pif 100 PID 2316 wrote to memory of 2176 2316 cmd.exe 102 PID 2316 wrote to memory of 2176 2316 cmd.exe 102 PID 2316 wrote to memory of 2176 2316 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe"C:\Users\Admin\AppData\Local\Temp\ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Tits Tits.bat & Tits.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:396
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
PID:4076
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4004453⤵
- System Location Discovery: System Language Discovery
PID:4064
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "navyfurthermoreacceptableinvestigator" Profession3⤵
- System Location Discovery: System Language Discovery
PID:2588
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Atmospheric + ..\Commons + ..\Represent + ..\Humans + ..\Href + ..\Router + ..\Connection + ..\Sol O3⤵
- System Location Discovery: System Language Discovery
PID:4240
-
-
C:\Users\Admin\AppData\Local\Temp\400445\Batch.pifBatch.pif O3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\400445\Batch.pif" & rd /s /q "C:\ProgramData\CAKEBFCFIJJK" & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2176
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:3416
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
549KB
MD506217e9f55ff1dc889a0aa9aa2999b3c
SHA1fad711a89fe670deca51f31fab7249d3f4232b3d
SHA256bd7d098fba2a343099199ba99efd5191d62c341ad8883c7d4049e529f2355ffe
SHA512fff6a95db81a48e6df4493c0aa8b373a97b592388b39c1ec5fd598892a43c4cc3d985d0e1405ac4ab7afc1919169fbff923a1b5bccb42083234a7c972c94317d
-
Filesize
865KB
MD5f893c06408989444917becc2c67e9720
SHA1734160892a99b544f052fd92382010b80d054020
SHA25602631bb82ed0d34347ba2980f9d5eb2ba2cd26e942c3f922b9215dd19ddf267e
SHA512f49127c364acc89e5af14a901acba96ae2d39adb259ac20aebc20d3d9d55441d0c3c4199d886ea11ada02d4f27a3dd36f8d884e627c00d6cfb55fe18cd35fcf2
-
Filesize
64KB
MD5155702daaed607a3b9ae37027494655e
SHA1b641842104fe4d99fcb4daae6435c5c3a9836d4a
SHA25645173dcbe34d1963927f6f5f1a30be883807b9cfa55c27857115a43fa14c9e15
SHA51269c436f8f7918422a7d61260dd242a9b737340f0b6c69e23a04e28b310d8b9f6c2b5534761d57a840e6b68765196ac81172cc43f37d30c6c4d4ec2cafbb02f48
-
Filesize
72KB
MD501d316f7f74b486c817c69726cefc328
SHA126c56b95c7aa7dc4fce2ddaadd9ec344bcc9f2e2
SHA256dc10cd792e2859702c384da65c0c1bdaac764563c7311fb3c58495ed96791534
SHA512373f403b537e833fe052640cbf75d4c819352027029dcc552fa3dc1d2fddd0fa36ac9084bfc912186b78951c3390414d123eb50b01c4be64101b5b4d2e96c720
-
Filesize
51KB
MD5b6b68a11d199c97c897a262d3314a9ed
SHA107b63697ebdfdcd1910390b43477562dbc150355
SHA2564a1c8403f1325713242c06529510ea73e88590760d20d836d7ba987586e99613
SHA51270b79ce0e9ef278974576136bebf706646f6d7412b5c1eeb6ab9131ecd7b33621f2382009dc59758ea257f865b425e83c10e1fe2db52173d48d3923ee3821415
-
Filesize
97KB
MD539904f7826116996701e702069a0ca0d
SHA15b0133ca89160ac7f4805f4b054337a985086f69
SHA2565ba66a80e757c3a7cf2e16e709090fcbe8f8019e70c4266fd957ce4878b8719a
SHA512c67407d641b9cda3ee41778ddae04566853c1e9d99d89c3e8beb54c27b68bfbe39da7d632acfc5ace72941c7c0b94c57cd08f732c5dcb4a4a845f8da5a94e569
-
Filesize
91KB
MD582b096504036d6c23531db83a3dbc2bb
SHA16747cc73044ada91759edfcc19206038dd5af327
SHA25653744685d58b788ec091eb57fa850ed1a78c17b80ee1ba21796d6533e4c07cd0
SHA512f5f1819fddcf159b5e60972741a3e270c9a26b41ee4220739aa381a09264ed4d7f9e5d4fe18df4d066850c241a20baf638f163ef8992bc917b9b86b043ba31f0
-
Filesize
6KB
MD56095cc0e5110bfbf129b695533148cf3
SHA14dfd2f248e726dc1357f15b16b80a1ab71f3a46e
SHA256a354428e5be2519aa3db2abed313d510ae754ddf052c38f405235bdc73c2c630
SHA512ae6307fa1b327d34a56e80e40412e6557746fc6ec3ee7a7e7040b8be8826016b78e77c77b5041888c92ad1ee0b760b3ccd7d2f6d3bf66c0d577aa936d98170f1
-
Filesize
66KB
MD509cafc2cd2586f5bfab33937d069b114
SHA1c7303feb233867e8deedec7003347dfe90701f0b
SHA2565b31062934d1afe4e887b181cc0f2add523465a63f710333824102749ae2a768
SHA5125ab63bfca3aace35117dd4013b44ff9ec8edf8c9dfa79481ed3f8b2b5790aec3b01b512286a52eff7c8c210de7bf3093274289c10a3be0ef74d51f2e399d80f3
-
Filesize
78KB
MD544d0f8f9c4b06736e9063432c40ad468
SHA179396180851fba1d3b611603455d61798574891d
SHA256df754244594bab7d25764ca6df24dc7e19d3d6eb8ab29a575b665c8559f6ef78
SHA512dfcfa10fb7017638889593cb7c2c7bc9d43564978f4eb05c68d49e1dbba820335b0c115a91b88011a83eee1adee0c9e4cf7900f575dcf696a079941bb7e96eb2
-
Filesize
30KB
MD5caefb3c36d5bd6c6923ea3c264f76de7
SHA14554acb578278bbb2c4db326960e49736c968459
SHA25638206815f4ea33415c17f1c5e6ec111cbcff8f31b4ebf1f16b2caf3e0e9f3ee3
SHA51297f7f9de8ecbd47c576745fcee926c70b72610c4ae535452c2b22c595de9b9b401d6ed74d5a13a9e4e9fd09291c3512401b9b3e2c638716bb37ef4030e5d4f4b
-
Filesize
20KB
MD51a43009615b399c7da8fc4748bd7149d
SHA14a118c8b399b92d7812d715b588f049b37efd6d2
SHA256afcd2cdc62a903f0cb91c678bc8f9e6a0022a06ae6ce4bb25edf3d6886ff7165
SHA51201313dcbcd37fc4f7c492ceedaf4c57c58cb2478e4c3d7510435b8ca8e3b3b55d879b216f0a2bd15e8a487d6aecc0cd2f805cba993eaa0f278dfa6cab90599ed