Malware Analysis Report

2025-04-14 08:09

Sample ID 250323-zbkj3svsc1
Target malware.7z
SHA256 fc692e62d466b316c3d0174fdbe6fa6d778e47e29b356a39d9a8f3df1e4a571d
Tags
discovery stealer 651 vidar raccoon 4ea2de23519e3f57fa6e68e00db8cdfa44e74741 spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc692e62d466b316c3d0174fdbe6fa6d778e47e29b356a39d9a8f3df1e4a571d

Threat Level: Known bad

The file malware.7z was found to be: Known bad.

Malicious Activity Summary

discovery stealer 651 vidar raccoon 4ea2de23519e3f57fa6e68e00db8cdfa44e74741 spyware

Vidar Stealer

Raccoon

Raccoon family

Vidar

Vidar family

Raccoon Stealer V1 payload

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-23 20:32

Signatures

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Vidar family

vidar

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-03-23 20:32

Reported

2025-03-23 20:33

Platform

win7-20240903-en

Max time kernel

18s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3.exe

"C:\Users\Admin\AppData\Local\Temp\3.exe"

C:\Users\Admin\AppData\Local\Temp\3.exe

"C:\Users\Admin\AppData\Local\Temp\3.exe" end

Network

N/A

Files

memory/1352-0-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2568-1-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2025-03-23 20:32

Reported

2025-03-23 20:33

Platform

win10v2004-20250314-en

Max time kernel

17s

Max time network

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 6020 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 1352 wrote to memory of 6020 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 1352 wrote to memory of 6020 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3.exe

"C:\Users\Admin\AppData\Local\Temp\3.exe"

C:\Users\Admin\AppData\Local\Temp\3.exe

"C:\Users\Admin\AppData\Local\Temp\3.exe" end

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp

Files

memory/1352-0-0x0000000000400000-0x000000000041F000-memory.dmp

memory/6020-1-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-23 20:32

Reported

2025-03-23 20:33

Platform

win7-20250207-en

Max time kernel

40s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0.exe

"C:\Users\Admin\AppData\Local\Temp\0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 telete.in udp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp

Files

memory/2024-1-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/2024-2-0x0000000003350000-0x00000000033E0000-memory.dmp

memory/2024-3-0x0000000000400000-0x0000000000493000-memory.dmp

memory/2024-4-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/2024-5-0x0000000003350000-0x00000000033E0000-memory.dmp

memory/2024-7-0x0000000000400000-0x0000000000493000-memory.dmp

memory/2024-6-0x0000000000400000-0x00000000032DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-23 20:32

Reported

2025-03-23 20:33

Platform

win10v2004-20250314-en

Max time kernel

33s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0.exe

"C:\Users\Admin\AppData\Local\Temp\0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 telete.in udp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 199.59.243.228:443 telete.in tcp

Files

memory/3920-1-0x00000000033D0000-0x00000000034D0000-memory.dmp

memory/3920-2-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/3920-3-0x0000000000400000-0x0000000000493000-memory.dmp

memory/3920-4-0x00000000033D0000-0x00000000034D0000-memory.dmp

memory/3920-5-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/3920-7-0x0000000000400000-0x0000000000493000-memory.dmp

memory/3920-6-0x0000000000400000-0x00000000032DB000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-03-23 20:32

Reported

2025-03-23 20:33

Platform

win7-20240903-en

Max time kernel

16s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

Vidar

stealer vidar

Vidar family

vidar

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 manillamemories.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-03-23 20:32

Reported

2025-03-23 20:33

Platform

win10v2004-20250314-en

Max time kernel

16s

Max time network

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

Vidar

stealer vidar

Vidar family

vidar

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 manillamemories.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp

Files

N/A