vidar | 72b00a7e7cd31bd9c102d7473208115cfd2586c2a7c081957250ef1762b6059a

Analysis

max time kernel
127s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_72b00a7e7cd31bd9c102d7473208115cfd2586c2a7c081957250ef1762b6059a.exe
Size

677.6MB
MD5

1121503015a0161f94ceaba6461390d0
SHA1

1e9ac9da1bef57aa879e9f13cfd3951177c4b96f
SHA256

72b00a7e7cd31bd9c102d7473208115cfd2586c2a7c081957250ef1762b6059a
SHA512

370218c27c01b8c9f4a3bc5da29ad3b6ff4758c24e3a97e2389214f4963e2299c3cb0aacf711b8a33f2f78919fceac862da6cfbb28107541cfc1666237327482
SSDEEP

12582912:qQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQKQyQyQyQyQyQyn:qnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn

Score

10^/10

vidar e80365af73075d595692b2d62040c2c8 discovery stealer vmprotect

Malware Config

Extracted

Family

vidar

Version

4.8

Botnet

e80365af73075d595692b2d62040c2c8

https://t.me/sundayevent

https://steamcommunity.com/profiles/76561198982268531

Attributes

profile_id_v2
e80365af73075d595692b2d62040c2c8
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/1436-8-0x00000000009A0000-0x000000000132C000-memory.dmp	vmprotect
behavioral2/memory/1436-23-0x00000000009A0000-0x000000000132C000-memory.dmp	vmprotect

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_72b00a7e7cd31bd9c102d7473208115cfd2586c2a7c081957250ef1762b6059a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1436	JaffaCakes118_72b00a7e7cd31bd9c102d7473208115cfd2586c2a7c081957250ef1762b6059a.exe
1436	JaffaCakes118_72b00a7e7cd31bd9c102d7473208115cfd2586c2a7c081957250ef1762b6059a.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72b00a7e7cd31bd9c102d7473208115cfd2586c2a7c081957250ef1762b6059a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72b00a7e7cd31bd9c102d7473208115cfd2586c2a7c081957250ef1762b6059a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1436-0-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1436-1-0x00000000013B0000-0x00000000013B1000-memory.dmp

Filesize
4KB

Download
memory/1436-8-0x00000000009A0000-0x000000000132C000-memory.dmp

Filesize
9.5MB

Download
memory/1436-7-0x0000000000A43000-0x0000000000D84000-memory.dmp

Filesize
3.3MB

Download
memory/1436-5-0x0000000001710000-0x0000000001711000-memory.dmp

Filesize
4KB

Download
memory/1436-4-0x0000000001700000-0x0000000001701000-memory.dmp

Filesize
4KB

Download
memory/1436-3-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/1436-2-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/1436-22-0x0000000000A43000-0x0000000000D84000-memory.dmp

Filesize
3.3MB

Download
memory/1436-23-0x00000000009A0000-0x000000000132C000-memory.dmp

Filesize
9.5MB

Download