Overview

overview

10

Static

static

1

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 21:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    1.1MB

  • MD5

    1b31c291993985499cf544cc549e9028

  • SHA1

    068d213d11e48f8dda5d90a96512b8101f29ad9e

  • SHA256

    f8615202ee1e9ccb7509f98c643b7bd6e01e439c57b78fd547cf96fd27ec5a47

  • SHA512

    e60267556172f46e5d59a44bd60edc2639b6b26282ebb5615099bbd0cb2a3d7429b66fda1a7d02fb17f00c898fe3d289b7adcf73d51f139f3d87cd7e34388302

  • SSDEEP

    24576:whp0JbDs5hGLQlVGUUvJ5zYwe3H+2EEUsemRb3NpEWKj:kipohGLaGUU7zrm84jb37i

Score
10/10
vidarcredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Detect Vidar Stealer 4 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Earning Earning.cmd & Earning.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4996
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1312
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3924
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3396
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 139308
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4808
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "Frame" Ron
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1432
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Brochure + ..\Divine + ..\Surgery + ..\Posting j
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2208
      • C:\Users\Admin\AppData\Local\Temp\139308\Procedures.com
        Procedures.com j
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1248
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\139308\Procedures.com" & rd /s /q "C:\ProgramData\7QQ1NYCJM7GV" & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:488
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 10
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2992
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\139308\Procedures.com
    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\139308\j
    Filesize

    267KB

    MD5

    ee15ad7483051c844b95dd14cb16b4ca

    SHA1

    3e0e0db838b650d6f1302aa4cb6f3b7cc736ebde

    SHA256

    aa221b76b3c00adfb49bed18cdf4095a304a4fb468eafd590f347552f37799bf

    SHA512

    a6bca037dd588b0522dc5a2a9e04c91cb68fc9122715964baf8e483fddc683acd921b7dc3f293c5bbf920d01f38cf9269e4ebe9f807f6982853e2ef16df7b40e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Brochure
    Filesize

    93KB

    MD5

    6c1aee29bd7f5710593402d1c6fc2142

    SHA1

    1cc5943734cc2fc1d7bbc488e97f821239a3e3b9

    SHA256

    b869f6b200abff5542721f7ccdc87bb01cdbc31102956dcaa7e46c552d5b982e

    SHA512

    2561bec7c1391347d7bde38c344a98ecd64764733f6b39ec702a96ad9cd9b140795dfebab9b944db7ccdf08b6dc63c58665f6263e7d546e8ae336f36ee43a46a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Buyers
    Filesize

    53KB

    MD5

    03a413e3c0f468a8daff75c079a6e00e

    SHA1

    9ff241ce3b86aa1aac24f308c92c723b267a3a7f

    SHA256

    28ef2ef007a8f2fa7648edd51c6fbbeeb98725f5d6450900a4735ad228a3903f

    SHA512

    0486e660afe95510b4398a7d099eb20bac1487925e8042acb7495ffdb760b635c49f8af781f3e0dd2531198af35260d14b00f109a41ce21aa92f5b186f12c47d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Disable
    Filesize

    102KB

    MD5

    130cd154679f29a6f3cad6e427478683

    SHA1

    6f5696ed43c2220b49405c4fd58abec781e14508

    SHA256

    9384137a3d8cc870b9d283225a60759fece3d27cf3162e36f506480bce06e51d

    SHA512

    ba3780d03de2eab88d16d319167f7a9a74eb1bfa1ba4e9181e582c0b9c715a8c5e3183f709e79326839a9d5650ca72d849b0f0ed1f213c504f75d350513e5f7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Divine
    Filesize

    80KB

    MD5

    ff2ce214d200d352c7d04800b152bc2e

    SHA1

    988ef81e6a0f7571b52686341931162430ba6261

    SHA256

    311655e9c9bf8035f60d9e762c3c95d264232bfd96855e793402a5b5f4d5a13a

    SHA512

    9cb2a6ab541eb7bc96b7e4b15da21456eeeda8d9c8ab01bd84c794d46c632f0d2aaca480516f8d0a527afb253ae196e7b5b54338bbf07f5145b912a4a6c3dfcd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Eagle
    Filesize

    123KB

    MD5

    208acef2dfc4e230b25b4b4a0673ffe1

    SHA1

    8d09b32a1be8ebe1f8695653aa50c1fed4ab20c5

    SHA256

    152d7ccb9a28b79d9c29077330ed61c34bad168c4b0bacbe16907d90a2046a65

    SHA512

    0dc461b583727b831bbd51a5b1822fe160caae07a46313f17d2957056d623c8ca103b3a47278c42f0ede5c148d3717e065f6bb3ccfeb5e151272dab91e0fbae1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Earning
    Filesize

    13KB

    MD5

    1b6aca105b86401bf6a8206ab2ed2604

    SHA1

    4ec6822b90eeac4ed23b1b199b6c1ac235601ada

    SHA256

    1c68da14f6314db369b3a2a9e1bc2023f2e16f34b21d1f4c239511495473b183

    SHA512

    a163ad3005a74ada8480f4ce6aeee1692a487ffc4266530ab2f14f7f5b3b1cdad0e26f2fee895b0f16c0a9b42c08f2608af3d8ad41e84a914b9e7aab48177b07

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Eva
    Filesize

    70KB

    MD5

    ba176db7e9de7450c412a1c571937169

    SHA1

    01718d40f54e5340e876e0c8cd15bc4b9c3cff11

    SHA256

    1929af35c1cca40411bbf3c6bc4ff1416fa4971d2eab01e4b3ca9d82bc78fd50

    SHA512

    d572131b71c8f652abfc0f2dc9adec3045f21c3d14466579a9b9c9eeacbd1b492bf64225f34be336799519fda43650d004d3abec29f861e460472fb0815ffd3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flying
    Filesize

    107KB

    MD5

    ebafafe47265312cc96968bb58945199

    SHA1

    4628bb988c420cceac163e069a082987a2a508e4

    SHA256

    9c0ce1e70af52572d22685f85e9f2d75eb9d4c1ce8e82ea71c4a644b9e0927ba

    SHA512

    48827473e4259133ae2e759287770592b08b30349cb855fe67620e170efdd9566ffae1fb96ec6c2b1bb1c7fa9257566661c7e208a81cce4daf9b78e3d44f96a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Handjobs
    Filesize

    55KB

    MD5

    04915e6efc00606817e44b785e0fc040

    SHA1

    972c805fd5532bd87f0f754f39026fe975f82596

    SHA256

    176cdbdb7708ce1f761af3eb1f33b66627b52d6c48be213c6596dbce68731f3a

    SHA512

    411df77612fe79c83bfc826f7a922dde6cadc316a8084e4e63fcd4c191f165526f8f1f7ba973849cd8637a7224dafcf81c613519b5ce24b0d44695c3a3b300d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Imagination
    Filesize

    97KB

    MD5

    f87e02324242f1ca95fedba37caa7f29

    SHA1

    0490816c97722e9d4da97985e67a7be8e2e4eb7a

    SHA256

    6d089a79d61945744fdd931c131068b2e2acca8721df0d26d9d797957d88b0e0

    SHA512

    dff322f1d33aefefaf00e1eb26d90b90a031820b97e5c6d90fe90259542ac2b75ff6a3e09f585b855dd2ae012760e3963aef35294b254e2560225cdb6617e06c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Lp
    Filesize

    69KB

    MD5

    d1da746c6f362a9f5f7f1c85881d10db

    SHA1

    bbc4e7309bb49662a7a6db1f783821b98c68c259

    SHA256

    0ddd6ab68693cdea2f6b39fbb12328e3d41cc39dc4b9f40b7810149872caef20

    SHA512

    0331c3e4f496e125ef6b0a2a84547dc172302ff75e137e83dc10ce9161afe3a64883bc6665560cc40620d07f18ce163b2bcfc68b3e3176af99f1804acf88f2da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Night
    Filesize

    128KB

    MD5

    9c30e32ffce2aa493ef4238a2ba1fdaf

    SHA1

    282d80b3d0481bd1facad68ee6ae344e4001122b

    SHA256

    55e244354b1483fc405522d97ede1c752c6b8f288a17d4ff32cb410c6ed48404

    SHA512

    8b17c56aab1eb5ac2aafac6f7c92cb9afc76daf409574c34ccb7c0d027e6705cd62510db35dfe1aab60da96130d4b94de9450ba92911323042cde548b596e2b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Posting
    Filesize

    34KB

    MD5

    94a5a552efe142146e3a98adebc6002f

    SHA1

    018fd52a873deaf40d37ce5894c30492f90fad9d

    SHA256

    2028cd9387ac54bbd6929857fc52d994531d7e2d05ab7d1ab5dd35b06ee44d52

    SHA512

    52076d5003172b51e35c9d2fe85d65d3b18e377f6dcd0eb47dd4a91cd44ceb1bc187ceca84dce32fb39676a247da3c280e57b6f3e1e40fe21dafa37c3ccb605d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ron
    Filesize

    2KB

    MD5

    3072f9007a0ec1d4f38505c4053581f4

    SHA1

    c6b7fafc0fff4e0bd8e11281fa2871edffb6e60b

    SHA256

    0a48e97f5221173353bc56e28ba0bfe5d9037dc71dd0df6b0647e6b8c7d104bc

    SHA512

    4c9260fa5027f13df6e563ffc8d8a639c0ae05a41a3e72968c802cfa9f4f00ed6c314764851b83309944dca2ce8917e678f9cd6e122eb239248fa89da2c2fddd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Surgery
    Filesize

    60KB

    MD5

    9d729fa7dcc31dd7e20873436d29fde4

    SHA1

    06ad28e52c9f7e09d0fd264c42a03c779aaaaa03

    SHA256

    64263c0ce8db87f1ccea789d3fd14abbc170e2f787e2ff5eda987bd53101233b

    SHA512

    a652af0baecc03b2cf5d8098a59cf55da35111c8b70a8b5788fd7d005d4ab612bf43c81ab7d10ff3898a917a00948c4700cff93d7e72227ba6583c9118c7b69a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Transparency
    Filesize

    118KB

    MD5

    e88a09fd9d9939bb263a692f5c2ac5bf

    SHA1

    50afe54c82c2754a011b6002fc42060686e22055

    SHA256

    b896ca8a3f7d9ef0d96b8193bfa66edbae86bba71ae05123e50bfe858cd02f66

    SHA512

    089f5f5406df18921865c385f52c3bf3750f6e0b479b47b3e4b7be68362ea0af963002221bd872c890f058896d8cd2c71b6a89e14047c6928aef5271e3fed4c2

    Download Submit

  • memory/1248-42-0x0000000004AC0000-0x0000000004CF9000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1248-43-0x0000000004AC0000-0x0000000004CF9000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1248-44-0x0000000004AC0000-0x0000000004CF9000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1248-46-0x0000000004AC0000-0x0000000004CF9000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1248-47-0x0000000004AC0000-0x0000000004CF9000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1248-45-0x0000000004AC0000-0x0000000004CF9000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1248-54-0x0000000004AC0000-0x0000000004CF9000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1248-55-0x0000000004AC0000-0x0000000004CF9000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4932-40-0x0000000076D90000-0x0000000076E17000-memory.dmp

    Filesize

    540KB

    Download