Overview

overview

10

Static

static

3

2f317783eb...16.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    115s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-01-2025 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe

  • Size

    44KB

  • MD5

    770b223cce43b2043d5953fffb30c512

  • SHA1

    4b535eec398fe92c7b59b05fd8be500c49942cee

  • SHA256

    2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916

  • SHA512

    bdc7f650a8a09cb4099f174c287681c8199785477272f9e9d1762a7f9be2e9aa02975078958ce59eab592f814de6c78efe579886a0e1ef511cb41558a081ce9c

  • SSDEEP

    768:8FtchgNSVwafevGHkiV++I1gqDnJuuAuznQVLNvxu0BvkwIt6BcN4fejq:8FtggN7aeGEk+11Tu9AnQVLNppvk9RNQ

Score
10/10
vidar12d6c83ea3cfc666e31df67358e93313credential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

Version

11.4

Botnet

12d6c83ea3cfc666e31df67358e93313

C2

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

  • Detect Vidar Stealer 5 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe
    "C:\Users\Admin\AppData\Local\Temp\2f317783ebd3c12517e36d052c09e88291cf335f8f83efdc360aa9dbcb8eb916.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kczpcwlt\kczpcwlt.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3128
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6A0.tmp" "c:\Users\Admin\AppData\Local\Temp\kczpcwlt\CSCBA904EA4ACEE4C339E7BB1A64DA45A77.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3980
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
      2⤵
        PID:3756
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
        2⤵
          PID:2204
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
          2⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3248
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\IJKFCFHJDBKK" & exit
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2112
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 10
              4⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2732
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
        1⤵
          PID:2292
        • C:\Windows\System32\oobe\UserOOBEBroker.exe
          C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
          1⤵
          • Drops file in Windows directory
          PID:2056
        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
          C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
          1⤵
          • System Location Discovery: System Language Discovery
          PID:3824
        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
          C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
          1⤵
          • System Location Discovery: System Language Discovery
          PID:2792
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
          1⤵
            PID:4452
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
            1⤵
            • Drops desktop.ini file(s)
            • Checks processor information in registry
            • Modifies registry class
            PID:4752
          • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
            C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
            1⤵
            • System Location Discovery: System Language Discovery
            PID:4936
          • C:\Windows\system32\SystemSettingsAdminFlows.exe
            "C:\Windows\system32\SystemSettingsAdminFlows.exe" SetTimeZoneAutoUpdate 0
            1⤵
            • Modifies data under HKEY_USERS
            PID:3256

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\chrome.dll
            Filesize

            676KB

            MD5

            eda18948a989176f4eebb175ce806255

            SHA1

            ff22a3d5f5fb705137f233c36622c79eab995897

            SHA256

            81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

            SHA512

            160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-1-19.1259.2792.1.odl
            Filesize

            1KB

            MD5

            fefac08536c5166f4f789a643dfd5f36

            SHA1

            326f6515bc9140f3abcd0dc8bff40885094aac15

            SHA256

            4f8b69b39bed092a1617e7bd371d871e4e84e3642840145acb958e6c9f9c7eb6

            SHA512

            f14ae27e85f5b69b072ab6204224f006c17fd991df31a5b6b3761cc1f292846cff19fc1b73550afbf426f65d306e21dc2a009275aa1c3bb62015275d55403f77

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-1-19.1259.3824.1.aodl
            Filesize

            706B

            MD5

            c45289807fdb3d6d531e5bb2154c1111

            SHA1

            6e59d14708b61770f3e497b7900dbb650c6c2d64

            SHA256

            4ade69cbce3db3bf327bb33b6eafd9f2f0bd356fc97a990c350884cf69e8b7a6

            SHA512

            989e9eb7e557714061b89e2ca121ec0201c0d0df1eadb930ecb601a5ffa6c67e97c7c26c478b9abca638372da06724df7c59c2914aa213114f3093d18db08900

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RESA6A0.tmp
            Filesize

            1KB

            MD5

            b8d880298ff358ce9390aba649791b2a

            SHA1

            a0684d9baeb2ad687f09214c03e6994d8c3005de

            SHA256

            4fb603143aa8bae9f10e4ad80fdb34a0ca2bc22b638a573824d70ae83a52acaf

            SHA512

            3207462ecb205eb4f7c036dcfe21cb5ea3e206a247087edc2f1d887953763294e3a4197ef7f9c4386b6391146839c026618e4fe10ee5ddb1a7070d5bda100534

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\kczpcwlt\kczpcwlt.dll
            Filesize

            8KB

            MD5

            0e82aa4a97aa2394bd7ae37e5c1dd292

            SHA1

            49ab37c475e61694fd673576c31e88249a27e4bf

            SHA256

            40493192627c5ce599c934c0d0e19c204d0af865b47dadaeaae66eb74d5823d8

            SHA512

            806f3f4030014c37cac6488707088747ce91e52cd825b6cd081cb421720bbc07ac5452e24a400a0f34fe3ae65c6dc9a58976ad2b464943de1250257eb18a5865

            Download Submit

          • C:\Users\Admin\Videos\Captures\desktop.ini
            Filesize

            190B

            MD5

            b0d27eaec71f1cd73b015f5ceeb15f9d

            SHA1

            62264f8b5c2f5034a1e4143df6e8c787165fbc2f

            SHA256

            86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

            SHA512

            7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\kczpcwlt\CSCBA904EA4ACEE4C339E7BB1A64DA45A77.TMP
            Filesize

            652B

            MD5

            a90465b915e9abe28abc642b890e6e22

            SHA1

            42e88dde596d0828972aa8d4ee2b9f36b687a145

            SHA256

            1fc98e067a386071d15e53b8c8238e43a840bed2ae611274020edeabed286b74

            SHA512

            ca3c0aa024382c811e8a2ad137f619839f8ca6db49793a47a84f4744a05052ab5410095535ea210c4cc51f0dbfd33b53a9c15cb3cb6f53fe2ac1231d61fec859

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\kczpcwlt\kczpcwlt.0.cs
            Filesize

            10KB

            MD5

            b022c6fe4494666c8337a975d175c726

            SHA1

            8197d4a993e7547d19d7b067b4d28ebe48329793

            SHA256

            d02016a307b3e8da1a80c29551d44c17358910816e992bc1b53da006d62dd56a

            SHA512

            df670235e87b1ee957086be88731b458c28629e65e052276dd543be273030986a7e5c67fa83587f68ec06fa0f33b0c3f1f041c2d06073709b340f96c3884f2b9

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\kczpcwlt\kczpcwlt.cmdline
            Filesize

            204B

            MD5

            f0307e1894533b9fb8d6f8cfc0b40dff

            SHA1

            798ed7b0400d87ed42d9011c7d1def7ca857de8e

            SHA256

            66c5c901be5a6c46ce33ce724b8ca87464dd5f3edb3cbf2d8d2bfcef09657fa4

            SHA512

            3457187d33730ca88e3d87b60886b88c2b68bc04d893429d00cef640a8d347379e6d3cfac33b313749fc5d051900899cbf3900edcdc6cb5f42386bfd88cf1acc

            Download Submit

          • memory/3248-21-0x0000000000400000-0x0000000000700000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/3248-17-0x0000000000400000-0x0000000000700000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/3248-41-0x0000000000400000-0x0000000000700000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/3248-42-0x0000000000400000-0x0000000000700000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/3248-22-0x0000000000400000-0x0000000000700000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/4752-66-0x00000160AE200000-0x00000160AE320000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/4752-67-0x00000160AE200000-0x00000160AE320000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/5028-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5028-25-0x0000000074A50000-0x0000000075201000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/5028-15-0x0000000004F10000-0x0000000004F18000-memory.dmp

            Filesize

            32KB

            Download

          • memory/5028-2-0x0000000074A50000-0x0000000075201000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/5028-1-0x0000000000410000-0x0000000000422000-memory.dmp

            Filesize

            72KB

            Download