Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows11-21h2_x64 -
resource
win11-20250314-es -
resource tags
-
submitted
01/04/2025, 00:57
General
-
Target
X-ToolUnlock/XToolUnlock_v3.1.exe
-
Size
634KB
-
MD5
93adf8065f0c98800caaa0c04643086d
-
SHA1
1d9155ca4e97cd715a2053e98578bc3c41e144dd
-
SHA256
93333cc84d80767f88528b50cd5f563a7fc2626e0817ab9a666df733dd51d369
-
SHA512
6253872a445477fff892ba37f51aa44e655a7f61dc8ee8e9242911b8c2e9dac105234681255cdf82526239bfc582e8205f8aa9fb7e6a94b4cf2bf696dd26524b
-
SSDEEP
12288:SaQ9+ICJkAp0mBpehM8ppy+E4J/aDQy5b4WeZGl/GtWV3OH2JrZwIRlUR:Kw4GBpehMjcuP5b4Fty3pZwglUR
Malware Config
Extracted
vidar
13.3
286abd424eeeb855a080435369086f7f
https://t.me/lw25chm
https://steamcommunity.com/profiles/76561199839170361
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0
Signatures
-
Detect Vidar Stealer 35 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\X-ToolUnlock\XToolUnlock_v3.1.exe"C:\Users\Admin\AppData\Local\Temp\X-ToolUnlock\XToolUnlock_v3.1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe86f7dcf8,0x7ffe86f7dd04,0x7ffe86f7dd104⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1956,i,16866829404555771024,9748669583974959514,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1972 /prefetch:24⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --string-annotations --field-trial-handle=2232,i,16866829404555771024,9748669583974959514,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2244 /prefetch:114⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=es --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,16866829404555771024,9748669583974959514,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2516 /prefetch:134⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3236,i,16866829404555771024,9748669583974959514,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3324 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3244,i,16866829404555771024,9748669583974959514,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3344 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4236,i,16866829404555771024,9748669583974959514,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4264 /prefetch:94⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4668,i,16866829404555771024,9748669583974959514,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4744 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4948,i,16866829404555771024,9748669583974959514,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5288 /prefetch:144⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=es --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5288,i,16866829404555771024,9748669583974959514,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5440 /prefetch:144⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5324,i,16866829404555771024,9748669583974959514,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5592 /prefetch:144⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5736,i,16866829404555771024,9748669583974959514,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5752 /prefetch:144⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5608,i,16866829404555771024,9748669583974959514,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5448 /prefetch:144⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5612,i,16866829404555771024,9748669583974959514,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5624 /prefetch:144⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x25c,0x7ffe86f5f208,0x7ffe86f5f214,0x7ffe86f5f2204⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1852,i,8400135082157119729,16815052272680467471,262144 --variations-seed-version --mojo-platform-channel-handle=2144 /prefetch:114⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2116,i,8400135082157119729,16815052272680467471,262144 --variations-seed-version --mojo-platform-channel-handle=2112 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=es --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2376,i,8400135082157119729,16815052272680467471,262144 --variations-seed-version --mojo-platform-channel-handle=2396 /prefetch:134⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3488,i,8400135082157119729,16815052272680467471,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3500,i,8400135082157119729,16815052272680467471,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:14⤵
- Uses browser remote debugging
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\lnyu3" & exit3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout /t 114⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Credential Access
Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5e1954fe30b38758d0456406ef63fee66
SHA12c9cad94c5ba81cdd9403e384d24f3cbefd1cb03
SHA2568000a6ab43bdcf9d6d8ad73a39d445e9861d87d98c01356be20a2d141822f645
SHA512127a4abb6053bb13432488cf514c5bd3b498de5b1587e2058e549caac1cec627c391e0103afed4a7d9a66b2f67f897ad8de919f2401ecc164e717da6f6730c43
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
80KB
MD5de7e15a1e28bfba04b9a7b3005d77d58
SHA11d8bbc4dd6974ff9ed596b500eeb3823edc8432a
SHA25647e91d2c93d1af59a3c47ddb05d3530205f191322b06a82338e1d0d3a4291f8b
SHA5129eb777b51ccbcf064b62d8f228328dca297a9ded615ed1804fbb4bc68ce58250e153e7575e25909fb6e29ef5b219147c8afeb49c05cab2360eb3ffcda089badf
-
Filesize
280B
MD5c50c5371ecfe45ba3e7f3a8097c51ae3
SHA146b0f0270773246e817153eee20f1f593c2a471e
SHA2561acd245a4f8d33d350c38dfe8af1b1ab7826c07ba276faf813314e3ff1e4144d
SHA512f6923998922302ce18bc117a37e401edb308f7f4c17244055c148db91e1ada19a898cb327dfa7159ccb7367d8c5b78118db7e834ba4ce0ede5f599b1020de854
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
327B
MD5b2f9ae3212ed4f5818d932748916c894
SHA10e28c656e6500301be0408fcfb26643dfd081fb4
SHA256733485af4daf90382b024b7f72c0edd0c775913fbbe1206e2a67d23377dc938c
SHA512f4415b5aa4921b66e4e23bdd32ef3c28fe0b7747d66948c876280c938abefa729fbfee9820b3e1a051fd932cddaab1ac184e5c02b47cf6a75fc78108a986f89f
-
Filesize
41KB
MD5881b7b7a6bf9ef3063141948b6ee752b
SHA171a6ed9439bfce78cfdca5befe31d6e019e6072a
SHA25640fee765b0ae7f991754adb45466f5654c1d57ff8f9088946eb0169359f2b163
SHA51204a51562435c526af3d1ae6f49c6ba5b5c71ffe4e66ef42925d230407a5fc29947a286400d369641770c0ed69b6196b84403df1c8508f678f6827239115eac5c
-
Filesize
152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB