Overview

overview

10

Static

static

3

config.exe

windows7-x64

10

config.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2025, 00:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    config.exe

  • Size

    5.2MB

  • MD5

    fcdd5d8bbdd7e9c70b30904c37267bb2

  • SHA1

    6c8c923851462e0c97b48b3826643eea441ed8b6

  • SHA256

    d9b7cd71505bd423ba63c900c792c585314c44d9515cd2767f6c9826e8237979

  • SHA512

    2ea5167cb7c6f4d87d2e3a595cdd40a2be9e24098841a40c64bf50db9e55f954ae7da0646d9ae10f4e833ba793a94fb304791445c8f9f78197e11ce04af012eb

  • SSDEEP

    49152:8l2I+TsDdNum6TfbV+/74e1HOiiI1qCRzecn5EZ8AoFVWkjDH4P1EKLR1Ic201o7:8YI+T8XqfbVy4IuilzfzHhc2PF

Score
10/10
vidarcredential_accessdiscoverystealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/g02f04

https://steamcommunity.com/profiles/76561199828130190
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Signatures

  • Detect Vidar Stealer 15 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Uses browser remote debugging 2 TTPs 7 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 33 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\config.exe
    "C:\Users\Admin\AppData\Local\Temp\config.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        3⤵
        • Uses browser remote debugging
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffeb166cc40,0x7ffeb166cc4c,0x7ffeb166cc58
          4⤵
            PID:3844
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2088,i,18019957775953321435,3914022017559494491,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1604 /prefetch:2
            4⤵
              PID:436
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1848,i,18019957775953321435,3914022017559494491,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2172 /prefetch:3
              4⤵
                PID:4560
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,18019957775953321435,3914022017559494491,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2500 /prefetch:8
                4⤵
                  PID:2788
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,18019957775953321435,3914022017559494491,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3192 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:5096
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,18019957775953321435,3914022017559494491,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3256 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:3000
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4488,i,18019957775953321435,3914022017559494491,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4512 /prefetch:8
                  4⤵
                    PID:224
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4252,i,18019957775953321435,3914022017559494491,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4264 /prefetch:1
                    4⤵
                    • Uses browser remote debugging
                    PID:1408
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4760,i,18019957775953321435,3914022017559494491,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4744 /prefetch:8
                    4⤵
                      PID:440
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,18019957775953321435,3914022017559494491,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4652 /prefetch:8
                      4⤵
                        PID:2424
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5060,i,18019957775953321435,3914022017559494491,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4620 /prefetch:8
                        4⤵
                          PID:4892
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                        3⤵
                        • Uses browser remote debugging
                        • Enumerates system info in registry
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                        • Suspicious use of FindShellTrayWindow
                        PID:4844
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb16746f8,0x7ffeb1674708,0x7ffeb1674718
                          4⤵
                          • Checks processor information in registry
                          • Enumerates system info in registry
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3244
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,14191073693733195878,6208902544095166680,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
                          4⤵
                            PID:4416
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,14191073693733195878,6208902544095166680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
                            4⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2252
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,14191073693733195878,6208902544095166680,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
                            4⤵
                              PID:1744
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2000,14191073693733195878,6208902544095166680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
                              4⤵
                              • Uses browser remote debugging
                              PID:4780
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2000,14191073693733195878,6208902544095166680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
                              4⤵
                              • Uses browser remote debugging
                              PID:2360
                      • C:\Windows\system32\taskmgr.exe
                        "C:\Windows\system32\taskmgr.exe" /4
                        1⤵
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:2788
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:2680
                        • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                          1⤵
                            PID:4520
                          • C:\Windows\system32\NOTEPAD.EXE
                            "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Temp\officeclicktorun.exe_streamserver(20250217160432390).log
                            1⤵
                            • Opens file in notepad (likely ransom note)
                            PID:64
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                            1⤵
                              PID:3280

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                              Filesize

                              2B

                              MD5

                              d751713988987e9331980363e24189ce

                              SHA1

                              97d170e1550eee4afc0af065b78cda302a97674c

                              SHA256

                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                              SHA512

                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              f09c5037ff47e75546f2997642cac037

                              SHA1

                              63d599921be61b598ef4605a837bb8422222bef2

                              SHA256

                              ba61197fff5ed487084790b869045ab41830bdf6db815503e8e064dd4e4df662

                              SHA512

                              280bff6eac4b2b4fe515696223f61531f6b507c4c863ad9eef5ab0b1d65d264eba74fb7c9314b6920922142b8ab7605792211fca11a9a9ef0fc2ae995bf4f473

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              010f6dd77f14afcb78185650052a120d

                              SHA1

                              76139f0141fa930b6460f3ca6f00671b4627dc98

                              SHA256

                              80321891fd7f7c02dd4be4e5be09f8e57d49e076c750f8deb300be8f600de2d7

                              SHA512

                              6e6c9e348e948b946cfb97478698423e1272c4417bc8540e5daa64858e28be8fda5baf28538aee849f8bb409c17a51c60e48a3f1793e3a86cb27edeb32aa30a5

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              ee776c8992a207b639255f55aeef85cb

                              SHA1

                              1db8d3c5db4bbbcd90eaffd7845158cc0a500f67

                              SHA256

                              58f8b27749cd55fcf3bcb8fd6847dc92f6f8a865e3c08524792113de81e0217b

                              SHA512

                              484771bd8e20c1acf70736da39c9075554ed390074b79cf83a586314501230b26734cd0d3f012ee5b5ef97e7d1ef7f916692979e95a50816aebb2663afdcafc2

                              Download Submit

                            • memory/1940-69-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-61-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-79-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-78-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-76-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-13-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-14-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-21-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-22-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-23-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-24-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-75-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-71-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-70-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-62-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1940-65-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/2788-0-0x000001A3D5B50000-0x000001A3D5B51000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2788-9-0x000001A3D5B50000-0x000001A3D5B51000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2788-11-0x000001A3D5B50000-0x000001A3D5B51000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2788-10-0x000001A3D5B50000-0x000001A3D5B51000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2788-6-0x000001A3D5B50000-0x000001A3D5B51000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2788-7-0x000001A3D5B50000-0x000001A3D5B51000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2788-8-0x000001A3D5B50000-0x000001A3D5B51000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2788-12-0x000001A3D5B50000-0x000001A3D5B51000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2788-1-0x000001A3D5B50000-0x000001A3D5B51000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2788-2-0x000001A3D5B50000-0x000001A3D5B51000-memory.dmp

                              Filesize

                              4KB

                              Download