vidar | 324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26.exe
Size

336.4MB
MD5

876f5de542386abdc4699b77687e279e
SHA1

24c0161a3968a97443be2cd1d1d96181285947bd
SHA256

324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26
SHA512

d1f12d0611093008d707d04c58dbae510dc84dfeb738a8052c174e2d2b5225226b398417ae918bb64792e41cec69eec4cc7ad66d7c15de0e6c664d3baa897f5b
SSDEEP

98304:3QHpw7wLHY5E5ThVOTYheiqTBODGm/RygXAWVWCwi+1j7:AHpw7v5EPuBxeIhWVJw/1P

Score

10^/10

vidar 670 discovery evasion stealer trojan

Malware Config

Extracted

Family

vidar

Version

51.9

Botnet

670

https://t.me/btc20220425

https://ieji.de/@ronxik213

Attributes

profile_id
670

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26.exe

Vidar Stealer 19 IoCs

stealer

resource	yara_rule
behavioral2/memory/4816-21-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-20-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-24-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-25-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-29-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-28-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-27-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-26-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-23-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-19-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-30-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-38-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-39-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-42-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-43-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-67-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-59-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-68-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar
behavioral2/memory/4816-76-0x00000000009B0000-0x00000000010DE000-memory.dmp	family_vidar

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4816	JaffaCakes118_324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26.exe
4816	JaffaCakes118_324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4816	JaffaCakes118_324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26.exe
4816	JaffaCakes118_324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26.exe
4816	JaffaCakes118_324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26.exe
4816	JaffaCakes118_324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_324c6159854181351a28a38c3f38a00007f2f150ef0d1c77fcc30424a8de6b26.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4816-0-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-1-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/4816-3-0x00000000009B1000-0x00000000009E8000-memory.dmp

Filesize
220KB

Download
memory/4816-8-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/4816-9-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/4816-10-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-12-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-11-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-13-0x0000000075AC0000-0x0000000075CD5000-memory.dmp

Filesize
2.1MB

Download
memory/4816-15-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-14-0x0000000076BF0000-0x0000000076E71000-memory.dmp

Filesize
2.5MB

Download
memory/4816-7-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-4-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-5-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-16-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-21-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-20-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-22-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-24-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-25-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-29-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-28-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-27-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-26-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-23-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-19-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-18-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-17-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-2-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-32-0x0000000076890000-0x00000000768B4000-memory.dmp

Filesize
144KB

Download
memory/4816-31-0x0000000075AC0000-0x0000000075CD5000-memory.dmp

Filesize
2.1MB

Download
memory/4816-30-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-33-0x00000000768C0000-0x00000000769E0000-memory.dmp

Filesize
1.1MB

Download
memory/4816-35-0x0000000074EB0000-0x0000000074FAA000-memory.dmp

Filesize
1000KB

Download
memory/4816-34-0x0000000075E70000-0x0000000075F2F000-memory.dmp

Filesize
764KB

Download
memory/4816-38-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-36-0x0000000074B40000-0x0000000074CA9000-memory.dmp

Filesize
1.4MB

Download
memory/4816-39-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-40-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/4816-41-0x00000000009B1000-0x00000000009E8000-memory.dmp

Filesize
220KB

Download
memory/4816-42-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-43-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-63-0x0000000075E70000-0x0000000075F2F000-memory.dmp

Filesize
764KB

Download
memory/4816-66-0x0000000076BF0000-0x0000000076E71000-memory.dmp

Filesize
2.5MB

Download
memory/4816-67-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-64-0x0000000074EB0000-0x0000000074FAA000-memory.dmp

Filesize
1000KB

Download
memory/4816-62-0x00000000768C0000-0x00000000769E0000-memory.dmp

Filesize
1.1MB

Download
memory/4816-60-0x0000000075AC0000-0x0000000075CD5000-memory.dmp

Filesize
2.1MB

Download
memory/4816-59-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-68-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-76-0x00000000009B0000-0x00000000010DE000-memory.dmp

Filesize
7.2MB

Download
memory/4816-87-0x00000000768C0000-0x00000000769E0000-memory.dmp

Filesize
1.1MB

Download
memory/4816-89-0x0000000074EB0000-0x0000000074FAA000-memory.dmp

Filesize
1000KB

Download
memory/4816-88-0x0000000075E70000-0x0000000075F2F000-memory.dmp

Filesize
764KB

Download