Analysis
-
max time kernel
138s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
-
submitted
18/04/2025, 02:13
General
-
Target
2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe
-
Size
820KB
-
MD5
3cd0db86d5e81b8825b77e67df41bf1a
-
SHA1
cd22219cff15afd6666866a39025cdbabcf39672
-
SHA256
f0e69027e42692d86e5568255610cf9b07223b9cf07327a3d78086c60102e47d
-
SHA512
30c04177a69bf1796ec2f059031f280a385dfeeeadb84e66172f6258efbb96184905604a402b65889430948aef0f5e8d1e86370f5959157618c52374f00821df
-
SSDEEP
12288:4/DKcz2a8Ep3A5WWwLUWdt6/FcMMSdLHmc+9LKLdEEo4Edka+9LKLdEEo4Edkl:QKcz2aN34WWXN/FAcaKLdjRaaKLdjRl
Malware Config
Extracted
vidar
13.5
c466785b3a34d7b3c4d6db04a068b664
https://t.me/v00rd
https://steamcommunity.com/profiles/76561199846773220
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0
Signatures
-
Detect Vidar Stealer 38 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdb0cddcf8,0x7ffdb0cddd04,0x7ffdb0cddd104⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2056,i,12118994389497250437,14977600767071052528,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2040 /prefetch:24⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1604,i,12118994389497250437,14977600767071052528,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2276 /prefetch:34⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2388,i,12118994389497250437,14977600767071052528,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2540 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,12118994389497250437,14977600767071052528,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3316 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3236,i,12118994389497250437,14977600767071052528,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3292 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4304,i,12118994389497250437,14977600767071052528,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4324 /prefetch:24⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4632,i,12118994389497250437,14977600767071052528,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4656 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5312,i,12118994389497250437,14977600767071052528,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5324 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5396,i,12118994389497250437,14977600767071052528,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5412 /prefetch:84⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffda240f208,0x7ffda240f214,0x7ffda240f2204⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1784,i,5038774980754184330,18395601501347522210,262144 --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:34⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2120,i,5038774980754184330,18395601501347522210,262144 --variations-seed-version --mojo-platform-channel-handle=2108 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2396,i,5038774980754184330,18395601501347522210,262144 --variations-seed-version --mojo-platform-channel-handle=2896 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3592,i,5038774980754184330,18395601501347522210,262144 --variations-seed-version --mojo-platform-channel-handle=3640 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3600,i,5038774980754184330,18395601501347522210,262144 --variations-seed-version --mojo-platform-channel-handle=3688 /prefetch:14⤵
- Uses browser remote debugging
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\va1vs" & exit3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout /t 114⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v16
Credential Access
Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD58f012ec47ef6dd3e33bc848fbb8a78cc
SHA1e2e023e40a9ef48fda70a4af09f342dceb612022
SHA25603ebab80dbca311f72027573bf6c5f1d5a884a1c6d2c491bce8af4b4ff06d260
SHA512468f911f8626b89064387205de95186750e04917a79eadefb65cb7042c3db0492a4352c3b2d9fa0f7a23a12cb61d872d7015dfd6162f7e79421fd8f2b052fa87
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
78KB
MD535639a7845fd2799b77609797b1eecea
SHA19aac1c8229153aa7993319fa8ef16d79e64f3e56
SHA256bba8991935ccbfde9409d287d607795a37c9da278c6088201a338505f92ea2b1
SHA512f1f657b6098778c1b347db68fa2d342f664144307bd305e017ab1b2c6b772dac5e7c0b6eb174749728de6db4e6e932bab58c918b807d7cc4ffefe8b70b0290c9
-
Filesize
280B
MD5cf3da7267cb6a35a74a4dceb3097a615
SHA1a1b06c52d03147a6adbad9d32436b3b497115584
SHA25618a6d652dd17544c9feb2e01621ed64b958b1a26bcee81e29ab29d5a409dc222
SHA5126238eb406a42dfdf3faf7b62c92c6c0993974617f2ff403f6cd0a23dd2d53893bd96e92e78bbe6ba35ff191cdbcb8ecd69318c76547df76341ce9f2d43aae71f
-
Filesize
1KB
MD5c2b38f206241c21eaf6e7703efa48253
SHA1acca008d95bbf9f720dea6c3ce47601baa4aee60
SHA2561936160b639029518f4308818e23314f00b00b0e541404ecf9e1d34bc611b6f4
SHA512271ea10e31e07b396bef4cd1f3580101cdf69bfb7347756cc3fe9d513a81f058c41f5f3200cd230a238b9083f2ac38e8e1961db008dddbc5837bf8e1d90b6261
-
Filesize
1KB
MD5853924e017848163a18b2678cb6b285f
SHA16542d03c337fdb74153519b60fbe2471301ccef5
SHA2562c4b0820586b6b2cc55c0d10f235676d5b60cbada0d5862ee5e5a6add1e8d809
SHA512d7333055e978581e95166be929c1f41449cf0abfdebf02b4c232ac86e94a1ba90c5d3e0ed7971ab32449ef2932c216f7b18b1cdb13ad36c233ccbe4992a25872
-
Filesize
39KB
MD504ea1466ccc47e26c96aaa41f71d6e32
SHA18ab27de12c832847abc1d9a66282e81d76203f7d
SHA256635f444817a8e26a09c0664b6a473f43d7a0822d87f0e40def559f247ec1504c
SHA512b5c257afd5e1f24d575b39bde7d528cc76150948bb7c89e69dd944f6a017b1d51f1d431f924744d897d982efa5cdc9496d3a92f7b6d4f7bdafa1a52c4b81319b
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB