Overview

overview

10

Static

static

1

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

resource/R...ta.dll

windows7-x64

1

resource/R...ta.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    464.6MB

  • MD5

    350a2e8a8fd1cc46f25ff822b5fef864

  • SHA1

    6ced61594dbe240d0dbaa548eba526790b6e27f5

  • SHA256

    83b096c9efd0c9c855b9b8a7d70ebfb7f50e0449a824c52bf18a81b75a6037bd

  • SHA512

    27d75283812c73fe5e9d0bdfbf590ae00d2f2ae024c1dcc83c16e186ff65f2ceb3b939cef828e1bab7005356ba39d5dd96cca06a7d6fcfd37533aa48e68c2f15

  • SSDEEP

    24576:Lum9BtnqcmZV0mNzVLjFD23pWVKgnJC2Tld/wCyKkgJe/lgTbSUobuLA4ibic:L3qrZBLfY3pWVrJdf/wPKI/qRob2A4iH

Score
10/10
vidar839discoverystealer

Malware Config

Extracted

Family

vidar

Version

2.4

Botnet

839

C2

https://t.me/gurutist

https://steamcommunity.com/profiles/76561199476091435

http://95.216.164.28:80
Attributes
  • profile_id

    839

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:924
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/772-16-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/772-34-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/772-18-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/772-20-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/772-19-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/924-10-0x000000007423E000-0x000000007423F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/924-14-0x0000000007140000-0x00000000071DC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/924-7-0x0000000005C90000-0x0000000005C9A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/924-8-0x0000000006810000-0x0000000006916000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/924-9-0x0000000005C70000-0x0000000005C84000-memory.dmp

    Filesize

    80KB

    Download

  • memory/924-0-0x000000007423E000-0x000000007423F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/924-11-0x0000000074230000-0x00000000749E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/924-12-0x0000000006150000-0x000000000615C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/924-13-0x0000000006FD0000-0x000000000709C000-memory.dmp

    Filesize

    816KB

    Download

  • memory/924-6-0x0000000005CB0000-0x0000000006004000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/924-15-0x00000000070A0000-0x0000000007116000-memory.dmp

    Filesize

    472KB

    Download

  • memory/924-5-0x0000000074230000-0x00000000749E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/924-4-0x0000000005AF0000-0x0000000005B82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/924-3-0x0000000074230000-0x00000000749E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/924-2-0x0000000006260000-0x0000000006804000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/924-21-0x0000000074230000-0x00000000749E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/924-1-0x0000000000F30000-0x00000000010BC000-memory.dmp

    Filesize

    1.5MB

    Download