Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 11:49
Static task
static1
Behavioral task
behavioral1
Sample
e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe
Resource
win10v2004-20241007-en
General
-
Target
e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe
-
Size
6.2MB
-
MD5
584cf4a4f9cb958539ac091b3a79fd3a
-
SHA1
83cf9bfe5747e7155ca816c752658ad3aaa0d9fa
-
SHA256
e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7
-
SHA512
6acd009c4ab0f0e548669af6e1b68f13a5c60bca36a6ccc2095796b415dde47dd0f1d5c2ae587a4735fbecaf3b73046389c291ebac45dd131682e2b9407f4249
-
SSDEEP
12288:yQuJMMD+15Kx4I3y41UyKvXVr4D2P8wMxmAQvOwLALDOQyQWDs0H:IyM0IZTyZVEakxmdVALDONPjH
Malware Config
Extracted
vidar
11.8
8ff0797948d4b39f051a704ea27bdbde
https://t.me/fu4chmo
https://steamcommunity.com/profiles/76561199802540894
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Signatures
-
Detect Vidar Stealer 7 IoCs
resource yara_rule behavioral1/memory/2796-8-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/2796-10-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/2796-11-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/568-31-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/568-30-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/568-83-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/568-84-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 -
Stealc family
-
Vidar family
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2212 set thread context of 568 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wab.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2408 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 568 wab.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2796 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 31 PID 2212 wrote to memory of 2796 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 31 PID 2212 wrote to memory of 2796 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 31 PID 2212 wrote to memory of 2796 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 31 PID 2212 wrote to memory of 2796 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 31 PID 2212 wrote to memory of 2796 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 31 PID 2212 wrote to memory of 2796 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 31 PID 2212 wrote to memory of 2796 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 31 PID 2212 wrote to memory of 2796 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 31 PID 2212 wrote to memory of 2796 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 31 PID 2212 wrote to memory of 2684 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 32 PID 2212 wrote to memory of 2684 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 32 PID 2212 wrote to memory of 2684 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 32 PID 2212 wrote to memory of 2684 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 32 PID 2212 wrote to memory of 2772 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 33 PID 2212 wrote to memory of 2772 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 33 PID 2212 wrote to memory of 2772 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 33 PID 2212 wrote to memory of 2772 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 33 PID 2212 wrote to memory of 2848 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 34 PID 2212 wrote to memory of 2848 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 34 PID 2212 wrote to memory of 2848 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 34 PID 2212 wrote to memory of 2848 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 34 PID 2212 wrote to memory of 2848 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 34 PID 2212 wrote to memory of 2848 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 34 PID 2212 wrote to memory of 2848 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 34 PID 2212 wrote to memory of 2848 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 34 PID 2212 wrote to memory of 2848 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 34 PID 2212 wrote to memory of 2908 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 35 PID 2212 wrote to memory of 2908 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 35 PID 2212 wrote to memory of 2908 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 35 PID 2212 wrote to memory of 2908 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 35 PID 2212 wrote to memory of 568 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 36 PID 2212 wrote to memory of 568 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 36 PID 2212 wrote to memory of 568 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 36 PID 2212 wrote to memory of 568 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 36 PID 2212 wrote to memory of 568 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 36 PID 2212 wrote to memory of 568 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 36 PID 2212 wrote to memory of 568 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 36 PID 2212 wrote to memory of 568 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 36 PID 2212 wrote to memory of 568 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 36 PID 2212 wrote to memory of 568 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 36 PID 2212 wrote to memory of 568 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 36 PID 2212 wrote to memory of 2560 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 37 PID 2212 wrote to memory of 2560 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 37 PID 2212 wrote to memory of 2560 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 37 PID 2212 wrote to memory of 2560 2212 e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe 37 PID 568 wrote to memory of 2188 568 wab.exe 40 PID 568 wrote to memory of 2188 568 wab.exe 40 PID 568 wrote to memory of 2188 568 wab.exe 40 PID 568 wrote to memory of 2188 568 wab.exe 40 PID 2188 wrote to memory of 2408 2188 cmd.exe 42 PID 2188 wrote to memory of 2408 2188 cmd.exe 42 PID 2188 wrote to memory of 2408 2188 cmd.exe 42 PID 2188 wrote to memory of 2408 2188 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe"C:\Users\Admin\AppData\Local\Temp\e302bc75ac48569ac8f9ab3dbd31302b9ccb8858305a83698dca10e047aaeaa7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:2796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"2⤵PID:2684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵PID:2772
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"2⤵PID:2848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"2⤵PID:2908
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Program Files (x86)\Windows Mail\wab.exe" & rd /s /q "C:\ProgramData\FHDHCAAKECFI" & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2408
-
-
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"2⤵PID:2560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b