Overview

overview

10

Static

static

1

DuckMatter.exe

windows7-x64

10

DuckMatter.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 18:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DuckMatter.exe

  • Size

    1.2MB

  • MD5

    9908fef6dfd69de72ffa10ae467c2502

  • SHA1

    173888707b098b976976cd1ed0f3e57905de4d4b

  • SHA256

    31619be786bd17a126d0962c80871e93ea9263880cd98fad5a8aa450525e24d6

  • SHA512

    2eab6699e11a3fe7ea2956dc2ff1221b001f67ee4fd08eb7140fd6dfabbeb351b61680374cc46f2f8bb07abf5d945554f84ba0dded166eb572666397ba3fdaf9

  • SSDEEP

    24576:Ep5OqtY0d/FzUuYnpaoW0yVdd0NRHp7xMsO4xt/5PQhHJ:KOqtYMzOAtnditRxMsr5PsHJ

Score
10/10
vidarcredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Detect Vidar Stealer 4 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DuckMatter.exe
    "C:\Users\Admin\AppData\Local\Temp\DuckMatter.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Camcorders Camcorders.cmd & Camcorders.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3708
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3652
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1264
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2264
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1180
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 121759
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1284
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y /E Including
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2028
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "Contracts" Food
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3356
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Dial + ..\Reaction + ..\Rw + ..\More C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1560
      • C:\Users\Admin\AppData\Local\Temp\121759\Conditioning.com
        Conditioning.com C
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4088
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\121759\Conditioning.com" & rd /s /q "C:\ProgramData\4O8YUKNY5XBA" & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3120
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 10
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2308
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\121759\C
    Filesize

    281KB

    MD5

    3bf50099b20498ddd1ba273763a8bf2a

    SHA1

    66fb6dc9fd5c6a1945868aa57d4d85b7747de5fc

    SHA256

    eafa6fb1e47f7ac7763d334901adf18ec11305767ef65aadb9a4b97ff322c818

    SHA512

    3485a4dddb598629ae5d3ed91ae8b165725c434b09a31db30cecca337e98527ad5570283e97180996b1f71d11d997fb93a36a2e09cac68680054cc2e23f125dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\121759\Conditioning.com
    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Beverly
    Filesize

    89KB

    MD5

    423e53801596a3754f3381b00520324d

    SHA1

    af7edcc9397fb76ecf2565069d6a8a463aaad356

    SHA256

    5e239df69afe95bf5f6b7f2c73734f5077f0e81e68d335d1afc8a02095a08d44

    SHA512

    d03b2661b36575b2b7bf0973e9c7d7aef5e2bbd9cd2d5c79d387235de6705c9fc525cb4887754b7a2cde3bc6d712c51b0d400016e570ae9ccf893d8342ac6db2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cabinet
    Filesize

    52KB

    MD5

    beca63186b42e3bd6e4fa41c8267cafb

    SHA1

    2752ce8c9f0e4147258ad7ee353e1cb7e1f21d2a

    SHA256

    22cabd142ba36370e14bc6e12be12447a0b6e076f5d0321af3aa03cf90535ddb

    SHA512

    1d30809c114a2ea2d09110f1b375fbe4e571a48bc7e0a999d6ea7f65db13050275beb3468a2ecdca7fbdfaf98702c679abb5d6f5b4b0ec694b20e5cc86a9870f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Camcorders
    Filesize

    32KB

    MD5

    3301e26e06a9bdd9a1bc170c69e81c42

    SHA1

    b37eee171583d38339d47ad58245a3e1995b6773

    SHA256

    72d32e2ee62983f9a970a2c3fba99ffd16a568ecbdce30414137bccb357ddb8d

    SHA512

    e2f396a7ea35303ca30c508360c5308f7caad4d4b0e531a8abc7d5af9c91540c3ccbd7aeffad4d16f8195789c41a882031c025e2f8040718a0fdfa4ec6a456d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Carmen
    Filesize

    70KB

    MD5

    86535bd717538f76a712051215acffe0

    SHA1

    a35d175c770619532670489e220f7aea33e31b82

    SHA256

    ec71593a937b600a439fedd5c08443dd33f3fff54db79cb4c2fe1e8b115304a4

    SHA512

    05a6ede5dac033a468c19c665c8deb2ae07127548c43d1036b147ef97a660b61c91f9dcf6e11d7583fcdae9c6e1f86f91e7f6b3121be62970f1e54a158a69ec4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Circumstances
    Filesize

    116KB

    MD5

    1e9912d485a7aa78f66dcc4600767d05

    SHA1

    8a54fd29685f4459f560e45614fd3247d372faeb

    SHA256

    0883bac437e48a02304fcb60f479cdddf341897f6efbff702fc97e2c62f4629b

    SHA512

    b3fe37cbf93dcd863a594723acb26c65779c194f292262fdc5c8d869a6e77a8d041e243fbb9e982deda8db23e0872f58659269d831ccc522a76eb06e08130f4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Dial
    Filesize

    94KB

    MD5

    6c35273608049b0a414a70922432ed56

    SHA1

    535a9553219e4e5eda492fbcdcff3ad0dc30c014

    SHA256

    897467d02361d67ae47453019aa1a707bdb05fe4895ff2eb0f648117e4c9a9e0

    SHA512

    ed6bc781547695d02ac5cedff311e00cc103b9d8df9012f09ccaa2a658b388519eb49995ef67db46d2e254d90756aeba76084faa9780e534ea5bf790d20bf897

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Digit
    Filesize

    75KB

    MD5

    dd30b08b16b5673809ddcf69c9520716

    SHA1

    9bdce7a52d0ae11d3a4cb0554d468f1aee7952df

    SHA256

    f9e21ab38541c29b29640d6065ebdb3e465c9b5c42b2c8d88930531e7ea592de

    SHA512

    e351ca9aeda50efef57b8a497554be6a6ae2485ee06183794d5d07129dbfba2bffff64bd8563bc7994b07be2da5e4f09b55599a68b45b433875af32606d1948b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Food
    Filesize

    495B

    MD5

    ae9aa8b1fc2a881cc5e432fa722a123b

    SHA1

    a72d7db7e2383bd7af65889a7480da31338a0610

    SHA256

    970b6f2d200dfc9fa8abb9acda01adda008aef5f3056e6f9017e3582e705b229

    SHA512

    b7ce3d36d9a5227ec1319b5b689b01e07b18f7b9cddedd114f08cac8ee15a200f007239d31a55da4bf132591a4bd18e853bb1fdd99ad35ed42532f4de64745d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Including
    Filesize

    477KB

    MD5

    c91a63810cd590f88f57d0f011fff7cb

    SHA1

    1f496c923982dfd63a4621ed600aa9a1981e61ce

    SHA256

    5beee0043fd30a3838851d29eec944b6c35675a16b8b38ddea0feab9aba40372

    SHA512

    6135a350df50eb367b4a391ff3a819ada11dbcdc58b29eba5877da7b0bfdf4dd5f0ccf46e3b52e5b0a8e20212b02db908fed0db51d435c7af2f16571abb1d322

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Manga
    Filesize

    82KB

    MD5

    32ba40029fb16a3b6501993ae7d4d6e2

    SHA1

    8a242625cfdadbb6fb87869531d74d5b3c226e6c

    SHA256

    6b1203b0aa2d77c068474cfca065e673f63128d0d4bf680a9bce73aee8ffa70a

    SHA512

    5c54f37773e6f965fbbf1ac4b8d294be424df389ffe195e818d99155f268775f4cf65081655d1ff119a707e5cd0a1cf47381ffbf4f51dc1c34adc0e4b0438253

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\More
    Filesize

    34KB

    MD5

    ace4babbbfab6829c0c5f29b089eb222

    SHA1

    13bec11deab5552f45c2ed84f216254f04987eeb

    SHA256

    074c318d048f05403861b195b3099950c528ac93edf9cae4a8a7a223ee3e771c

    SHA512

    a7af2994ef5f1a39d2a5e42f40aa27cf19aeeb0373468e1ada58ccf75dc186fb5680ff573b8465eec010c5ee4121008f0b67fb4c2795b442c3ddb6316b8b3589

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Reaction
    Filesize

    99KB

    MD5

    9e60f847c8905bcea5fce1b404be787d

    SHA1

    ccbfa12fa6521de81d135972a4fb5877f6f9876f

    SHA256

    55fe0fce17316361a5d721db3817f49a12a468c078cf219135c2ec82a917ba9c

    SHA512

    7d459081bc497f68a46585baff5dbf8ec9d3be5ef706637a0d6b23ae3394c2d9c0ddf46ff938f8527defa66ce248b9913c39d7ff15b95e11ea50309210f274cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Rw
    Filesize

    54KB

    MD5

    3109da05a51e0346c944cc4d5ec69a2d

    SHA1

    c9a6c71f0d89fba62b1b4fe071e71118977cfdb1

    SHA256

    4f654a19fd72c48fe60976adc1f0e8836bdca05469b33c5bd879ff012b69d63f

    SHA512

    49970654f295014a3f4c2d26b329dc4ac1db8ad1fbae58d571e3d01d5236d9d005b86e0a84d00b22500355c98e494f052cf8f31ecc973acdfcea159ff615035a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Selective
    Filesize

    62KB

    MD5

    7d9756691edb69e4770b28e179021e47

    SHA1

    3768e4f6f121cc06fc8e160c6393829ff92ea5f0

    SHA256

    bebf4c78e85da0bff29917f1be0e72abe0a90f049d930009eae626477b15a1d4

    SHA512

    6b5b102c65416843a7c1d726e753459cd00c868ca90bf15ccba4894ba8468f30aaa5ab477afdb88b3c89c865915fc367ec28c93d9308ed2d19fdbfd1fa08a534

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Shortly
    Filesize

    53KB

    MD5

    965e96449ed6f450d230bae35f692d88

    SHA1

    5455c2def234a19429c00c1f89204122ec7d647b

    SHA256

    5350a8e80a7319e726181b27e6de22369440dd886a03bb69789458ec4f917528

    SHA512

    38ddfa73d757b8076aa903d0d1928c9ab75eed20df4e3965bf900d47522638c15059cc888e61890526a1eeb2449dd358e160edfe4e7d476b8cbec502b9de2375

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Sixth
    Filesize

    84KB

    MD5

    e1d3296e1a37e1aa1ab6ffec411ad6bb

    SHA1

    d9dfa685019a310206ea86a5c17770d4715ed0c3

    SHA256

    cd653b7b6a15148b0a0a93c796549c6ef4ac6b419fe3934a202589a5e6a20402

    SHA512

    4b49900f88146719010aae4024770e81116a88002dcaf39fb2a403fa3919a6825c80cb36a73f524851ab3d789802daee207aaa5e86027642c9f09b4be72264ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Spare
    Filesize

    116KB

    MD5

    2517b87efca5f3bc96f8675597c8bf3a

    SHA1

    77166db5b13351515a6aff43becd1852508bab9e

    SHA256

    e1e488a0bbdeb95b8e2a56940080f6cb42a1b24198a469f2293476324243b4f9

    SHA512

    ed6d6ff08834e1401ec8a9eaf53626b93f38b87e1fa61e4dc31f754cadf44fcc26479d534ab95c235b593bdb597fac108a3501cf4e395c719071339305d82916

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Toddler
    Filesize

    125KB

    MD5

    b31da340190873e96f12aefc7ceafef8

    SHA1

    244b0c459250ada1cae6b3604bb2508a6a9e0520

    SHA256

    d7c247d414377f6f80bd8e5dbb7d33a39326e82114344a0c7cd37799e48f0a41

    SHA512

    ed460c190ddef61c97a5490830042d7b35cc695a61ac79121c1e8e8397e9d773366f11086000e633a98f7126f3a97ce8b2be86801540659715b3c5ca24f6d523

    Download Submit

  • memory/4088-69-0x0000000004650000-0x0000000004889000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4088-70-0x0000000004650000-0x0000000004889000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4088-73-0x0000000004650000-0x0000000004889000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4088-68-0x0000000004650000-0x0000000004889000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4088-72-0x0000000004650000-0x0000000004889000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4088-71-0x0000000004650000-0x0000000004889000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4088-81-0x0000000004650000-0x0000000004889000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4088-80-0x0000000004650000-0x0000000004889000-memory.dmp

    Filesize

    2.2MB

    Download