Overview

overview

10

Static

static

1

file01.ps1

windows10-2004-x64

10

file01.ps1

windows11-21h2-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    282s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-01-2025 20:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file01.ps1

  • Size

    35B

  • MD5

    684c57981b5ed26047c34aee9a2453a1

  • SHA1

    2e154e9c0e6abc9a2bc852aeb941fe5d3117fa3e

  • SHA256

    20b3dc9a088153eb974afee08192cd0b78c96b847e5705cea818c50043c3bddf

  • SHA512

    cca14c6add1e0dfed54e0fe425489bf430bcc438acf386fe4d68cf040fbe55e9997b0d85bcd8cca56e66721292497894b599c919f3af248b4a2ef8a1d112c51b

Score
10/10
vidarfc0stndiscoveryexecutionstealer

Malware Config

Extracted

Family

vidar

Botnet

fc0stn

C2

https://t.me/w0ctzn

https://steamcommunity.com/profiles/76561199817305251
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Local\ec80017f-5613-409a-9855-9a9719961a06\updater.exe
      "C:\Users\Admin\AppData\Local\ec80017f-5613-409a-9855-9a9719961a06\updater.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2028
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    10KB

    MD5

    327975ba2c226434c0009085b3702a06

    SHA1

    b7b8b25656b3caefad9c5a657f101f06e2024bbd

    SHA256

    6fa9064f304b70d6dcebee643ca017c2417ff325106917058f6e11341678583c

    SHA512

    150a57c143fc5ff2462f496f5a9451310b8d99e32c4d570641204c8062a78590f14bed438ac981e8b0609a0c87b859a1f8502a78687bc36c3a9529d633a58e51

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    10KB

    MD5

    785073822344ae3813284ebc92bb596a

    SHA1

    96e2a933b38352ed2c8e6e34e94756b70c143214

    SHA256

    36ef4cbbc494deacf81f364b546281223a39bea01a32b0c4b0e2324f984d6817

    SHA512

    28b21e17fdf026a025503a2ae1014ea4e8ce5385e42396007a7a23aba3aecb591d225e2a90d47f6f9e02d34792d74b89547715d66899265dbf8372258ccf4498

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vr51o5r0.nau.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\ec80017f-5613-409a-9855-9a9719961a06\updater.exe
    Filesize

    9.8MB

    MD5

    2a7ec240fa5e25c92b2b78c4f1002ea0

    SHA1

    bca1465b8bafa5fe58d96d4289356d40c3d44155

    SHA256

    2c973057cbbe0d9836f477281a06b51c6ce009c5ac7683f4255743e7d01ca9ca

    SHA512

    dba36379cd0532301193b25ffc4c9b74406efc08ca2d2ce0fec06c115abdde2ab0409bfda1f8bf85ce50764a59503ab0d5b1efbbd641b4caec1dde910d220df3

    Download Submit

  • memory/2028-84-0x0000000000600000-0x0000000000660000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2028-80-0x0000000000600000-0x0000000000660000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2028-79-0x0000000000600000-0x0000000000660000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2168-11-0x00007FFBDD050000-0x00007FFBDDB12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2168-16-0x00007FFBDD050000-0x00007FFBDDB12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2168-17-0x00007FFBDD050000-0x00007FFBDDB12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2168-18-0x00007FFBDD050000-0x00007FFBDDB12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2168-15-0x00007FFBDD053000-0x00007FFBDD055000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2168-13-0x000001BCE5470000-0x000001BCE5C16000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/2168-12-0x00007FFBDD050000-0x00007FFBDDB12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2168-0-0x00007FFBDD053000-0x00007FFBDD055000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2168-95-0x00007FFBDD050000-0x00007FFBDDB12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2168-10-0x00007FFBDD050000-0x00007FFBDDB12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2168-9-0x000001BCE48C0000-0x000001BCE48E2000-memory.dmp

    Filesize

    136KB

    Download