Analysis
-
max time kernel
95s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2025 07:19
Static task
static1
Behavioral task
behavioral1
Sample
770b223cce43b2043d5953fffb30c512.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
770b223cce43b2043d5953fffb30c512.exe
Resource
win10v2004-20241007-en
General
-
Target
770b223cce43b2043d5953fffb30c512.exe
-
Size
44KB
-
MD5
770b223cce43b2043d5953fffb30c512
-
SHA1
4b535eec398fe92c7b59b05fd8be500c49942cee
-
SHA256
2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916
-
SHA512
bdc7f650a8a09cb4099f174c287681c8199785477272f9e9d1762a7f9be2e9aa02975078958ce59eab592f814de6c78efe579886a0e1ef511cb41558a081ce9c
-
SSDEEP
768:8FtchgNSVwafevGHkiV++I1gqDnJuuAuznQVLNvxu0BvkwIt6BcN4fejq:8FtggN7aeGEk+11Tu9AnQVLNppvk9RNQ
Malware Config
Extracted
vidar
11.4
12d6c83ea3cfc666e31df67358e93313
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199794498376
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Signatures
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral2/memory/1140-20-0x0000000000400000-0x0000000000700000-memory.dmp family_vidar_v7 behavioral2/memory/1140-22-0x0000000000400000-0x0000000000700000-memory.dmp family_vidar_v7 behavioral2/memory/1140-17-0x0000000000400000-0x0000000000700000-memory.dmp family_vidar_v7 behavioral2/memory/1140-39-0x0000000000400000-0x0000000000700000-memory.dmp family_vidar_v7 behavioral2/memory/1140-40-0x0000000000400000-0x0000000000700000-memory.dmp family_vidar_v7 -
Vidar family
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Loads dropped DLL 1 IoCs
pid Process 1140 RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5004 set thread context of 1140 5004 770b223cce43b2043d5953fffb30c512.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 770b223cce43b2043d5953fffb30c512.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4136 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5004 770b223cce43b2043d5953fffb30c512.exe 5004 770b223cce43b2043d5953fffb30c512.exe 1140 RegAsm.exe 1140 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5004 770b223cce43b2043d5953fffb30c512.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 5004 wrote to memory of 2256 5004 770b223cce43b2043d5953fffb30c512.exe 83 PID 5004 wrote to memory of 2256 5004 770b223cce43b2043d5953fffb30c512.exe 83 PID 5004 wrote to memory of 2256 5004 770b223cce43b2043d5953fffb30c512.exe 83 PID 2256 wrote to memory of 420 2256 csc.exe 85 PID 2256 wrote to memory of 420 2256 csc.exe 85 PID 2256 wrote to memory of 420 2256 csc.exe 85 PID 5004 wrote to memory of 4940 5004 770b223cce43b2043d5953fffb30c512.exe 86 PID 5004 wrote to memory of 4940 5004 770b223cce43b2043d5953fffb30c512.exe 86 PID 5004 wrote to memory of 4940 5004 770b223cce43b2043d5953fffb30c512.exe 86 PID 5004 wrote to memory of 1140 5004 770b223cce43b2043d5953fffb30c512.exe 87 PID 5004 wrote to memory of 1140 5004 770b223cce43b2043d5953fffb30c512.exe 87 PID 5004 wrote to memory of 1140 5004 770b223cce43b2043d5953fffb30c512.exe 87 PID 5004 wrote to memory of 1140 5004 770b223cce43b2043d5953fffb30c512.exe 87 PID 5004 wrote to memory of 1140 5004 770b223cce43b2043d5953fffb30c512.exe 87 PID 5004 wrote to memory of 1140 5004 770b223cce43b2043d5953fffb30c512.exe 87 PID 5004 wrote to memory of 1140 5004 770b223cce43b2043d5953fffb30c512.exe 87 PID 5004 wrote to memory of 1140 5004 770b223cce43b2043d5953fffb30c512.exe 87 PID 5004 wrote to memory of 1140 5004 770b223cce43b2043d5953fffb30c512.exe 87 PID 5004 wrote to memory of 1140 5004 770b223cce43b2043d5953fffb30c512.exe 87 PID 1140 wrote to memory of 816 1140 RegAsm.exe 89 PID 1140 wrote to memory of 816 1140 RegAsm.exe 89 PID 1140 wrote to memory of 816 1140 RegAsm.exe 89 PID 816 wrote to memory of 4136 816 cmd.exe 91 PID 816 wrote to memory of 4136 816 cmd.exe 91 PID 816 wrote to memory of 4136 816 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\770b223cce43b2043d5953fffb30c512.exe"C:\Users\Admin\AppData\Local\Temp\770b223cce43b2043d5953fffb30c512.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h4bit1uh\h4bit1uh.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A2F.tmp" "c:\Users\Admin\AppData\Local\Temp\h4bit1uh\CSCAB5A646C328B4F54B3EBE9A38C303CC0.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:420
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"2⤵PID:4940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\DGDHJEGIEBFH" & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4136
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
676KB
MD5eda18948a989176f4eebb175ce806255
SHA1ff22a3d5f5fb705137f233c36622c79eab995897
SHA25681a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85
-
Filesize
1KB
MD5f049c0c81903e08ccbe39a9faeb027c6
SHA115a09aa335e2ed6cd9138e5f75be2b0a6966a9c8
SHA25621de3e0171c675ceb2fa469c7fada58cba6863794bc0b45fb2e485b4fb2e2f77
SHA512b37942fe7e2ed658d27118790a177a51c46c8c4038613b46f0f4ef3776e66ac5455cfa8869912f53933e57569637acb5e2f26c2c80bceb7617e11a964c0beb68
-
Filesize
8KB
MD5969c20d7e45dc9fb24dd95bfbf7e87fe
SHA1273103f771fe636a881a2b6adafc86196385e324
SHA2568b9e36c4a6b1735be6af0164629ad544e77449c8ac110bc20eb19483724178e0
SHA512b39cd5c56b47a6ffd9a7d9cb4be1674c37d1c9eea4e2e64600a31870627fa16839a42b31e232dcaaef05fae1784bbadf8442a55208ccca35d66f2f3c9253f577
-
Filesize
652B
MD574774f18a98581e4925d4a9478bc448f
SHA19635e17e3220a824d5d893684cec05f58ef2dc6c
SHA256e910a3b8003a980336347819a3aa9b6d88a7f70b63b66a9989d48f79adb81775
SHA51252a4a830ddd58767920926a77f55db2ed1b7330f7eed91d15611d25c95883700dcaa202b47139bf752f311df6c36d53cad155496ef27856e60bf50dcab5e8c43
-
Filesize
10KB
MD5b022c6fe4494666c8337a975d175c726
SHA18197d4a993e7547d19d7b067b4d28ebe48329793
SHA256d02016a307b3e8da1a80c29551d44c17358910816e992bc1b53da006d62dd56a
SHA512df670235e87b1ee957086be88731b458c28629e65e052276dd543be273030986a7e5c67fa83587f68ec06fa0f33b0c3f1f041c2d06073709b340f96c3884f2b9
-
Filesize
204B
MD570f0bbf6b0eb67658986b5a4dc169a5e
SHA1c857dd9c49de7bc4396c77e08e1b44a05f025e83
SHA256ed289e3ae079374dbb1767ae351b5e0e412ac01dac313217a8596128c858abec
SHA51231af8d7aa71c4927f7ec4db94e2bd12d7fda6953310db1fe5fe550d956a070c6a8ac7621acc83ec55f6e56ffae067f958c5c254fee26f80ae2994780d8de522e