vidar | 7c31b96c380c4862d280bf119b7afaeb951cb0190a05a58b25e46ad6bf01c3b4

Analysis

max time kernel
127s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7c31b96c380c4862d280bf119b7afaeb951cb0190a05a58b25e46ad6bf01c3b4.exe
Size

787.4MB
MD5

513273b8c3d627f28bead53b61b62d22
SHA1

4030328d963383612cd99ddad191e42d56c44d97
SHA256

7c31b96c380c4862d280bf119b7afaeb951cb0190a05a58b25e46ad6bf01c3b4
SHA512

1537c176727547ef4a17c294600c834deedb7d583ee67ebf4f056ea83080dcb09c63cfbd1977e926f766fe980230bb76ce29a29dad9834a9e21d1a46d2ae5a63
SSDEEP

25165824:BnnnnnnnnnnnnnnnnnnnnnpnnnnnnnnnnnnnnnnnnnnnpnnnnZ:Bnnnnnnnnnnnnnnnnnnnnnpnnnnnnnn7

Score

10^/10

vidar c16a465ccc6a374a63c60139396c2756 discovery stealer

Malware Config

Extracted

Family

vidar

Version

4.9

Botnet

c16a465ccc6a374a63c60139396c2756

https://t.me/vookihhfd

https://t.me/booliiksws

https://t.me/dastantim

https://steamcommunity.com/profiles/76561199529242058

Attributes

profile_id_v2
c16a465ccc6a374a63c60139396c2756
user_agent
Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7c31b96c380c4862d280bf119b7afaeb951cb0190a05a58b25e46ad6bf01c3b4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
448	JaffaCakes118_7c31b96c380c4862d280bf119b7afaeb951cb0190a05a58b25e46ad6bf01c3b4.exe
448	JaffaCakes118_7c31b96c380c4862d280bf119b7afaeb951cb0190a05a58b25e46ad6bf01c3b4.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c31b96c380c4862d280bf119b7afaeb951cb0190a05a58b25e46ad6bf01c3b4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c31b96c380c4862d280bf119b7afaeb951cb0190a05a58b25e46ad6bf01c3b4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/448-0-0x0000000000450000-0x000000000071E000-memory.dmp

Filesize
2.8MB

Download
memory/448-2-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/448-1-0x00000000014D0000-0x00000000014D1000-memory.dmp

Filesize
4KB

Download
memory/448-6-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/448-5-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/448-4-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/448-3-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/448-10-0x00000000000F0000-0x0000000000EAA000-memory.dmp

Filesize
13.7MB

Download
memory/448-23-0x0000000000450000-0x000000000071E000-memory.dmp

Filesize
2.8MB

Download
memory/448-24-0x00000000000F0000-0x0000000000EAA000-memory.dmp

Filesize
13.7MB

Download