Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 19:56
Static task
static1
Behavioral task
behavioral1
Sample
1f4548aac2c166bacd286c6f5243908f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1f4548aac2c166bacd286c6f5243908f.exe
Resource
win10v2004-20241007-en
General
-
Target
1f4548aac2c166bacd286c6f5243908f.exe
-
Size
863KB
-
MD5
1f4548aac2c166bacd286c6f5243908f
-
SHA1
4f1aa4c962860e6c80c626c367ce60b87fc62022
-
SHA256
023b8573a4295c5f78f6e89b13062e5c185d74e57d2b1c8ec066393bba87313a
-
SHA512
889bb965859ef077ced15d0f15e4c75b743726582841b72b9634f958749671325965a1ee99c680d72db1b19a5b05a4868b7017baa73c7b88673a96689e32ce93
-
SSDEEP
24576:wy0fEYxFMyNiAX1dwhCEcAXWnKu4UaOa1/lLD:3AjP1dwhCVvnKXUaOU/lLD
Malware Config
Signatures
-
Detect Vidar Stealer 4 IoCs
resource yara_rule behavioral2/memory/1316-398-0x0000000003F50000-0x0000000004189000-memory.dmp family_vidar_v7 behavioral2/memory/1316-397-0x0000000003F50000-0x0000000004189000-memory.dmp family_vidar_v7 behavioral2/memory/1316-405-0x0000000003F50000-0x0000000004189000-memory.dmp family_vidar_v7 behavioral2/memory/1316-406-0x0000000003F50000-0x0000000004189000-memory.dmp family_vidar_v7 -
Vidar family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 1f4548aac2c166bacd286c6f5243908f.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Vibrators.com -
Executes dropped EXE 1 IoCs
pid Process 1316 Vibrators.com -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4176 tasklist.exe 2308 tasklist.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\ChanceDark 1f4548aac2c166bacd286c6f5243908f.exe File opened for modification C:\Windows\InstructionsTeaching 1f4548aac2c166bacd286c6f5243908f.exe File opened for modification C:\Windows\AttemptedPresents 1f4548aac2c166bacd286c6f5243908f.exe File opened for modification C:\Windows\DaveProtected 1f4548aac2c166bacd286c6f5243908f.exe File opened for modification C:\Windows\PersonallySullivan 1f4548aac2c166bacd286c6f5243908f.exe File opened for modification C:\Windows\DeeplyUnlimited 1f4548aac2c166bacd286c6f5243908f.exe File opened for modification C:\Windows\PornoVintage 1f4548aac2c166bacd286c6f5243908f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vibrators.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f4548aac2c166bacd286c6f5243908f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Vibrators.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Vibrators.com -
Delays execution with timeout.exe 1 IoCs
pid Process 1712 timeout.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1316 Vibrators.com 1316 Vibrators.com 1316 Vibrators.com 1316 Vibrators.com 1316 Vibrators.com 1316 Vibrators.com 1316 Vibrators.com 1316 Vibrators.com 1316 Vibrators.com 1316 Vibrators.com 1316 Vibrators.com 1316 Vibrators.com 1316 Vibrators.com 1316 Vibrators.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4176 tasklist.exe Token: SeDebugPrivilege 2308 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1316 Vibrators.com 1316 Vibrators.com 1316 Vibrators.com -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1316 Vibrators.com 1316 Vibrators.com 1316 Vibrators.com -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1504 wrote to memory of 5016 1504 1f4548aac2c166bacd286c6f5243908f.exe 83 PID 1504 wrote to memory of 5016 1504 1f4548aac2c166bacd286c6f5243908f.exe 83 PID 1504 wrote to memory of 5016 1504 1f4548aac2c166bacd286c6f5243908f.exe 83 PID 5016 wrote to memory of 4176 5016 cmd.exe 85 PID 5016 wrote to memory of 4176 5016 cmd.exe 85 PID 5016 wrote to memory of 4176 5016 cmd.exe 85 PID 5016 wrote to memory of 2224 5016 cmd.exe 86 PID 5016 wrote to memory of 2224 5016 cmd.exe 86 PID 5016 wrote to memory of 2224 5016 cmd.exe 86 PID 5016 wrote to memory of 2308 5016 cmd.exe 90 PID 5016 wrote to memory of 2308 5016 cmd.exe 90 PID 5016 wrote to memory of 2308 5016 cmd.exe 90 PID 5016 wrote to memory of 2344 5016 cmd.exe 91 PID 5016 wrote to memory of 2344 5016 cmd.exe 91 PID 5016 wrote to memory of 2344 5016 cmd.exe 91 PID 5016 wrote to memory of 3396 5016 cmd.exe 92 PID 5016 wrote to memory of 3396 5016 cmd.exe 92 PID 5016 wrote to memory of 3396 5016 cmd.exe 92 PID 5016 wrote to memory of 3684 5016 cmd.exe 93 PID 5016 wrote to memory of 3684 5016 cmd.exe 93 PID 5016 wrote to memory of 3684 5016 cmd.exe 93 PID 5016 wrote to memory of 3660 5016 cmd.exe 94 PID 5016 wrote to memory of 3660 5016 cmd.exe 94 PID 5016 wrote to memory of 3660 5016 cmd.exe 94 PID 5016 wrote to memory of 1316 5016 cmd.exe 95 PID 5016 wrote to memory of 1316 5016 cmd.exe 95 PID 5016 wrote to memory of 1316 5016 cmd.exe 95 PID 5016 wrote to memory of 2560 5016 cmd.exe 96 PID 5016 wrote to memory of 2560 5016 cmd.exe 96 PID 5016 wrote to memory of 2560 5016 cmd.exe 96 PID 1316 wrote to memory of 2728 1316 Vibrators.com 111 PID 1316 wrote to memory of 2728 1316 Vibrators.com 111 PID 1316 wrote to memory of 2728 1316 Vibrators.com 111 PID 2728 wrote to memory of 1712 2728 cmd.exe 113 PID 2728 wrote to memory of 1712 2728 cmd.exe 113 PID 2728 wrote to memory of 1712 2728 cmd.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f4548aac2c166bacd286c6f5243908f.exe"C:\Users\Admin\AppData\Local\Temp\1f4548aac2c166bacd286c6f5243908f.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Adjacent Adjacent.cmd & Adjacent.cmd2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4176
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
PID:2224
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
PID:2344
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4154343⤵
- System Location Discovery: System Language Discovery
PID:3396
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Analyze" Arabic3⤵
- System Location Discovery: System Language Discovery
PID:3684
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Reflected + ..\Subdivision + ..\Change + ..\Checked o3⤵
- System Location Discovery: System Language Discovery
PID:3660
-
-
C:\Users\Admin\AppData\Local\Temp\415434\Vibrators.comVibrators.com o3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\415434\Vibrators.com" & rd /s /q "C:\ProgramData\A1VKFU3EKF3E" & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1712
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:2560
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
274KB
MD53a313e5a0d3931a81ba6f11ba1961032
SHA1d003bdac65dbb1ec98c27532ac6549359e5f4a4f
SHA2565c7705aa7b8b5b9c4f2c0893b6d861a93dc65ba4ae4346ca635990690dc3eedf
SHA5124031f7e955db9185d1b6fcd8d6cb118e1653c910255cf68e93fd151e70016cee6d2ddb57c375b63325773dc794734e1efa8fc445cf878d85d0abf5fab308f9f5
-
Filesize
15KB
MD53dc92b0a897b53f1f718cc04ddb09ae5
SHA102c727a56b28a44bf033df4a53289aff9ffdc4ee
SHA2566f1e5610ebaaadc65fb9a34edcd979fa34ac2c1cc4b8dfd1b62dee054c4697d1
SHA51229dd812744265a34f558c01a5a5b17b13dcc260ab8fe7dcbeb4548bfd2c6a441d7ddaccf01cba0bca6d68a0f137ca8a5d5740a8006b45fbedc9df313817e84cd
-
Filesize
52KB
MD50f3de5157ff9571317658b129e37c81b
SHA1e0de9b46e26da3c88e50c21cc9c5c0e3934f9c3c
SHA256a08efe794355f41f2dd094a94405aaf80fed006a87463f934d28f35bf2bd96df
SHA512cf51a740213d909477910aaf609d6c8671a64ca2ca084831b858bf2900771f21b85dffaac13039fb90c0b711b84591c494af7ebe279eecd13cb4b5c329e04bc9
-
Filesize
2KB
MD58a5d92e99e9061975db86e103003537d
SHA1ee58ed18540a398e5a87bd40ced077ed82d95b04
SHA2562282ab2492f8a81c9e6063cc97e2745a74338a94581d711a22cd8e453c82c724
SHA512b30bc2f9c5b1da401f50f25b2330d0c9482ac4aee223cacd30e27609cb9b7de0c8ab88abc941a2be87e7fe5497dd2c6809c9ce651f362741ba7cda1d3476ccca
-
Filesize
70KB
MD5549f8fdd4d1c4516c48f11445aadcb6e
SHA110fe0f7335139ca423ce1fcf74d7d1309e2d6e03
SHA256401473b1a8ca70d03e18d018b69838c7a7dda0d2e726640e56d41a6efa4578aa
SHA512a10ce1a53d052648241ddd34424e3669a25a48950a78f1c45d30c1d57f1bb7f58d6e4d98f465324b3a33659fe308450ef7231d86d6c297deebb0eb23cb66168f
-
Filesize
69KB
MD5602733c5597dee2f3dfaf0b9d9f162ba
SHA1f1fed367db466813440968510f0ffa77b188843c
SHA25652f2163c4d9365b2115469a1ba8afc077dc727d4fe9b7f4e236a33033e2e4bfc
SHA512571ad4f939a7f5f7d918a2f55314d18294ea4e0fbbc913ae54800c19afd411b29fcecbd20e9f09288a5fd1c9bff6c81f348f3946e684d87f17fdf0a2f19c4ac4
-
Filesize
49KB
MD5e778f8484a37b636a2208ceec6cdfdc4
SHA13a9f6ab2cf95d8a22b7cd4a7540c853a4741eea9
SHA2566c29432ead9765778215d6a0dd979b19b2e388631a8c962f44b18e9a00f13fbb
SHA5122c8365606c7744b02eb332f6fc115bc40efc6eb22600a798d922d40b61b7e9371216aef54e2ccdc918c49c1feb5348991b972ae493b8b9e67e217f5e0d2e791d
-
Filesize
50KB
MD5bae4defe22a7096ba4e91b88ad79342a
SHA1932c690a819838bd023419105cd8451184dd2577
SHA25602eba91d5c2d4b6adf445d8baca3ba98c13ecd6bf72509fc594d97a886af1e11
SHA512bbe6a472fc030f7b6d04b91626b8830f6ab5c2a74e39ac265df8e13d0514a00ad76290ee83eb717ab7dd6d6b5937c205c92fabc64666235329987f0986cb6ef4
-
Filesize
69KB
MD5b6513387cb33b9e3b21894cb546fd15a
SHA1708fbab2683b0c2cf81abf9c25b87d338a6f326d
SHA256b3166b4ca47bbc68ddfe4706e8d55b6a8b9e3cfd5a6aeb8cfd74f21959d46336
SHA512582ee6a04f3686352c10acdd1dbfd57d75c41d779e84bd6ba49499e9b89620976c20f5d59e3b980fd0bf1caa6224c41ab5512d0b57390688c17470e60fded39e
-
Filesize
102KB
MD513b516ac4620caba657c929217376b24
SHA146d9a25b5b4ed6ccaee6e205a5bb16df467b81b7
SHA256a0f145a2675df3f0f3bf3ef9f4ad6713b50a8f77b6edec0a1e4dbf623b73cce7
SHA51276c0ddc6ea08be9e94ab707fb1395cf62c787e311e89784e9d8e19905f533ecf2889c044d90bea0303cf38ac88423bb4949e4fcd2b96e25f3d70f27325a0d233
-
Filesize
129KB
MD5e1b0af5d443066eea94b61d99e0ee62c
SHA16f75e9962d4ac523202cf7bbfe5a232efa3d173e
SHA256e1df43031fa795ce7934c5904c6b313db4562ae915b4515aec46c864d05fbd94
SHA5126d124ad38ca0d4a60ef0d950137caccb8a70e00d0917c4ae5fd915ee238cfb23e12f49311e8efb13c6f3fd3ae254963fa46c2eaa3f6e812c612debb512f30990
-
Filesize
55KB
MD57002c079ac3f38f0b30dc8b78281f49b
SHA1dfa54c9b95f4a98c8ed91fe9a3d8ebadbfaf7c27
SHA256667ffb5d78cb41b44d66070137e1a8b9624b9183f3c9880e2d084cb9e5e0ad9a
SHA51245d36f6c9fd776ea19d7f99c6fc09d270b2fbfac7c00ec7cb283bc50d5f9f48fa78085a74906580d65946e6451922df327c406a0fff19037d425b53e1009e1ae
-
Filesize
67KB
MD57116db0fac7ab6d372fd65e771ab19c5
SHA10cd89cfa95053d7a72fc10e71a9d3491561c54eb
SHA256a145a42f62fd6415d90eb19aa0f8bd7835d4f69c3cabcd0f0b33823939430176
SHA512013910d34675d101bbf70c459ff75e108a966858650ae40d09cc5508a75d18b2cb4cce3f183e5c96be51f7a168fed3cda3526b45ee922a839966221a76ce3aa7
-
Filesize
147KB
MD57a4d858a28bf1021a505bd7b887471c8
SHA13bc3a082967cd35e731f0ed204578d24b82eae43
SHA256c976fe1259ca5f8ac1b2824cf81aa127b3a24cf6153f15ca73cac9fe90905f7e
SHA512bf88068fdbcbed8a13ddda3f7e9bccf8e43770791bec9c7bb554abf9bc0bb19956f4927886557da346731c307c1349cda2a59c5402702db441dfe0b64a33bfd9
-
Filesize
97KB
MD5ca7b64cee6d9877398dfecbe57a31e58
SHA1f269ea6eca1fbb1d6c7288532b736bf9ca80b816
SHA2565b3728625673dfca9d3beafd7dd83e507b013bce995e56123549fb48ef9788c6
SHA5121af496087574d4bf1e4b53ae65885dbd3cffd3b78aff731828927e8862297a13e550198650ae5215837e0f8c3397379ac16a008fcd9c7a8646bfae2a61aa6f38
-
Filesize
50KB
MD5e7c05ca7d940e3408df0fae2a74ce384
SHA161046cb2850564820ab3711030e9604fa05bdb0b
SHA256d79e6e2032ce75882d234354f85f932c3ecde877f2d580cb9ab1d0748c613e0a
SHA512bb073e6ff27d33b3d7c4d522aa80b5b038d89d41a92cc8d4036eeabf7247c4fd4001b8e2f676bd1972f1fe7b1f83d315cae28b011f04b34c46a2b36f5b5d82d2
-
Filesize
59KB
MD518d5b284cfe22cc2d89ab4c8d871931e
SHA128f9050b36ec12b7f700a71d8c5a8823a153f5f4
SHA256cbf82b49dc2c10bf0af336903d01f9b4048fc83f00239e8e8a218f1f4915c73b
SHA5125af4506133c43ec2e505f4ed8d73c5b0b8bba6f66664b02baad137c3edd26195ffb5d8f1d2b4fe5c07b536f924c120e72e66c782e730f480d787eed475006c4d
-
Filesize
131KB
MD5380c1f3e0375453a86e78080db197a21
SHA10c9e9846195c8a062ef6dc403488dcd523e3a947
SHA256316162a748cb78ae4d685687cb4a3ba1ad03d00bf28bfa7da3df3d07ee48eeda
SHA512c217a6e8c01e7c619fa6cca6db6dae39a237cf2c47deefe49052198b502a0004e07a14f41df514e0c5ff8c09dff421d986f85f832babca8bc2d40bad0ac3fbab