Analysis

  • max time kernel
    95s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2025 07:19

General

  • Target

    770b223cce43b2043d5953fffb30c512.exe

  • Size

    44KB

  • MD5

    770b223cce43b2043d5953fffb30c512

  • SHA1

    4b535eec398fe92c7b59b05fd8be500c49942cee

  • SHA256

    2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916

  • SHA512

    bdc7f650a8a09cb4099f174c287681c8199785477272f9e9d1762a7f9be2e9aa02975078958ce59eab592f814de6c78efe579886a0e1ef511cb41558a081ce9c

  • SSDEEP

    768:8FtchgNSVwafevGHkiV++I1gqDnJuuAuznQVLNvxu0BvkwIt6BcN4fejq:8FtggN7aeGEk+11Tu9AnQVLNppvk9RNQ

Malware Config

Extracted

Family

vidar

Version

11.4

Botnet

12d6c83ea3cfc666e31df67358e93313

C2

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

  • Detect Vidar Stealer 5 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\770b223cce43b2043d5953fffb30c512.exe
    "C:\Users\Admin\AppData\Local\Temp\770b223cce43b2043d5953fffb30c512.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h4bit1uh\h4bit1uh.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A2F.tmp" "c:\Users\Admin\AppData\Local\Temp\h4bit1uh\CSCAB5A646C328B4F54B3EBE9A38C303CC0.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:420
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
      2⤵
        PID:4940
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
        2⤵
        • Checks computer location settings
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\DGDHJEGIEBFH" & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:816
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 10
            4⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:4136

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\chrome.dll

      Filesize

      676KB

      MD5

      eda18948a989176f4eebb175ce806255

      SHA1

      ff22a3d5f5fb705137f233c36622c79eab995897

      SHA256

      81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

      SHA512

      160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

    • C:\Users\Admin\AppData\Local\Temp\RES8A2F.tmp

      Filesize

      1KB

      MD5

      f049c0c81903e08ccbe39a9faeb027c6

      SHA1

      15a09aa335e2ed6cd9138e5f75be2b0a6966a9c8

      SHA256

      21de3e0171c675ceb2fa469c7fada58cba6863794bc0b45fb2e485b4fb2e2f77

      SHA512

      b37942fe7e2ed658d27118790a177a51c46c8c4038613b46f0f4ef3776e66ac5455cfa8869912f53933e57569637acb5e2f26c2c80bceb7617e11a964c0beb68

    • C:\Users\Admin\AppData\Local\Temp\h4bit1uh\h4bit1uh.dll

      Filesize

      8KB

      MD5

      969c20d7e45dc9fb24dd95bfbf7e87fe

      SHA1

      273103f771fe636a881a2b6adafc86196385e324

      SHA256

      8b9e36c4a6b1735be6af0164629ad544e77449c8ac110bc20eb19483724178e0

      SHA512

      b39cd5c56b47a6ffd9a7d9cb4be1674c37d1c9eea4e2e64600a31870627fa16839a42b31e232dcaaef05fae1784bbadf8442a55208ccca35d66f2f3c9253f577

    • \??\c:\Users\Admin\AppData\Local\Temp\h4bit1uh\CSCAB5A646C328B4F54B3EBE9A38C303CC0.TMP

      Filesize

      652B

      MD5

      74774f18a98581e4925d4a9478bc448f

      SHA1

      9635e17e3220a824d5d893684cec05f58ef2dc6c

      SHA256

      e910a3b8003a980336347819a3aa9b6d88a7f70b63b66a9989d48f79adb81775

      SHA512

      52a4a830ddd58767920926a77f55db2ed1b7330f7eed91d15611d25c95883700dcaa202b47139bf752f311df6c36d53cad155496ef27856e60bf50dcab5e8c43

    • \??\c:\Users\Admin\AppData\Local\Temp\h4bit1uh\h4bit1uh.0.cs

      Filesize

      10KB

      MD5

      b022c6fe4494666c8337a975d175c726

      SHA1

      8197d4a993e7547d19d7b067b4d28ebe48329793

      SHA256

      d02016a307b3e8da1a80c29551d44c17358910816e992bc1b53da006d62dd56a

      SHA512

      df670235e87b1ee957086be88731b458c28629e65e052276dd543be273030986a7e5c67fa83587f68ec06fa0f33b0c3f1f041c2d06073709b340f96c3884f2b9

    • \??\c:\Users\Admin\AppData\Local\Temp\h4bit1uh\h4bit1uh.cmdline

      Filesize

      204B

      MD5

      70f0bbf6b0eb67658986b5a4dc169a5e

      SHA1

      c857dd9c49de7bc4396c77e08e1b44a05f025e83

      SHA256

      ed289e3ae079374dbb1767ae351b5e0e412ac01dac313217a8596128c858abec

      SHA512

      31af8d7aa71c4927f7ec4db94e2bd12d7fda6953310db1fe5fe550d956a070c6a8ac7621acc83ec55f6e56ffae067f958c5c254fee26f80ae2994780d8de522e

    • memory/1140-17-0x0000000000400000-0x0000000000700000-memory.dmp

      Filesize

      3.0MB

    • memory/1140-20-0x0000000000400000-0x0000000000700000-memory.dmp

      Filesize

      3.0MB

    • memory/1140-22-0x0000000000400000-0x0000000000700000-memory.dmp

      Filesize

      3.0MB

    • memory/1140-39-0x0000000000400000-0x0000000000700000-memory.dmp

      Filesize

      3.0MB

    • memory/1140-40-0x0000000000400000-0x0000000000700000-memory.dmp

      Filesize

      3.0MB

    • memory/5004-2-0x0000000074B10000-0x00000000752C0000-memory.dmp

      Filesize

      7.7MB

    • memory/5004-15-0x00000000060D0000-0x00000000060D8000-memory.dmp

      Filesize

      32KB

    • memory/5004-25-0x0000000074B10000-0x00000000752C0000-memory.dmp

      Filesize

      7.7MB

    • memory/5004-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

      Filesize

      4KB

    • memory/5004-1-0x0000000000EE0000-0x0000000000EF2000-memory.dmp

      Filesize

      72KB