Overview

overview

10

Static

static

3

activator.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    48s
  • max time network
    53s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-01-2025 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    activator.exe

  • Size

    9.8MB

  • MD5

    2a7ec240fa5e25c92b2b78c4f1002ea0

  • SHA1

    bca1465b8bafa5fe58d96d4289356d40c3d44155

  • SHA256

    2c973057cbbe0d9836f477281a06b51c6ce009c5ac7683f4255743e7d01ca9ca

  • SHA512

    dba36379cd0532301193b25ffc4c9b74406efc08ca2d2ce0fec06c115abdde2ab0409bfda1f8bf85ce50764a59503ab0d5b1efbbd641b4caec1dde910d220df3

  • SSDEEP

    98304:D2FemCZvjc2SdS7Q+6qfx0Suals9I/f0E7zs/Ym6lQCpR2RJncpl2:6FeppPfxLsQf/7zLzVpWnQ2

Score
10/10
vidarfc0stndiscoverystealer

Malware Config

Extracted

Family

vidar

Botnet

fc0stn

C2

https://t.me/w0ctzn

https://steamcommunity.com/profiles/76561199817305251
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Suspicious use of SetThreadContext 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\activator.exe
    "C:\Users\Admin\AppData\Local\Temp\activator.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4428
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3852
    • C:\Users\Admin\Desktop\activator.exe
      "C:\Users\Admin\Desktop\activator.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:700
      • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        2⤵
          PID:3700
      • C:\Users\Admin\Desktop\activator.exe
        "C:\Users\Admin\Desktop\activator.exe"
        1⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:464
        • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
          "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
          2⤵
            PID:4984
        • C:\Users\Admin\Desktop\activator.exe
          "C:\Users\Admin\Desktop\activator.exe"
          1⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4196
          • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
            "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2716
        • C:\Users\Admin\Desktop\activator.exe
          "C:\Users\Admin\Desktop\activator.exe"
          1⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
            "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
            2⤵
              PID:1036
          • C:\Users\Admin\Desktop\activator.exe
            "C:\Users\Admin\Desktop\activator.exe"
            1⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2020
            • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
              2⤵
                PID:812
            • C:\Users\Admin\Desktop\activator.exe
              "C:\Users\Admin\Desktop\activator.exe"
              1⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4752
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                2⤵
                  PID:5012
              • C:\Users\Admin\Desktop\activator.exe
                "C:\Users\Admin\Desktop\activator.exe"
                1⤵
                • System Location Discovery: System Language Discovery
                PID:5028
              • C:\Users\Admin\Desktop\activator.exe
                "C:\Users\Admin\Desktop\activator.exe"
                1⤵
                • System Location Discovery: System Language Discovery
                PID:2952
              • C:\Users\Admin\Desktop\activator.exe
                "C:\Users\Admin\Desktop\activator.exe"
                1⤵
                • System Location Discovery: System Language Discovery
                PID:3724
              • C:\Users\Admin\Desktop\activator.exe
                "C:\Users\Admin\Desktop\activator.exe"
                1⤵
                • System Location Discovery: System Language Discovery
                PID:2852
              • C:\Users\Admin\Desktop\activator.exe
                "C:\Users\Admin\Desktop\activator.exe"
                1⤵
                • System Location Discovery: System Language Discovery
                PID:1956
              • C:\Users\Admin\Desktop\activator.exe
                "C:\Users\Admin\Desktop\activator.exe"
                1⤵
                • System Location Discovery: System Language Discovery
                PID:4776
              • C:\Users\Admin\Desktop\activator.exe
                "C:\Users\Admin\Desktop\activator.exe"
                1⤵
                • System Location Discovery: System Language Discovery
                PID:1872
              • C:\Users\Admin\Desktop\activator.exe
                "C:\Users\Admin\Desktop\activator.exe"
                1⤵
                • System Location Discovery: System Language Discovery
                PID:4696
              • C:\Users\Admin\Desktop\activator.exe
                "C:\Users\Admin\Desktop\activator.exe"
                1⤵
                • System Location Discovery: System Language Discovery
                PID:1988

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/1036-21-0x0000000000400000-0x0000000000460000-memory.dmp

                Filesize

                384KB

                Download

              • memory/2716-15-0x0000000000700000-0x0000000000760000-memory.dmp

                Filesize

                384KB

                Download

              • memory/2716-18-0x0000000000700000-0x0000000000760000-memory.dmp

                Filesize

                384KB

                Download

              • memory/3612-0-0x0000000000220000-0x0000000000C1F000-memory.dmp

                Filesize

                10.0MB

                Download

              • memory/3612-2-0x0000000000220000-0x0000000000C1F000-memory.dmp

                Filesize

                10.0MB

                Download

              • memory/3700-23-0x0000000000400000-0x0000000000460000-memory.dmp

                Filesize

                384KB

                Download

              • memory/4428-1-0x0000000000400000-0x0000000000460000-memory.dmp

                Filesize

                384KB

                Download

              • memory/4428-3-0x0000000000400000-0x0000000000460000-memory.dmp

                Filesize

                384KB

                Download

              • memory/4984-22-0x0000000000400000-0x0000000000460000-memory.dmp

                Filesize

                384KB

                Download