Avatar
An incident responder who's seeking opportunities to work in technology company!
Operator in Cookie Han Hoan
Admin in Cyber Mely, CyberSpace
Forensic at @World Wide Flags

Malware Analysis - Real Case 5

Hi everyone, welcome to the next chapter of my RE series. Today I want to share a real case about Vidar stealer which had amazing techniques and tactics. Want to know it right now? Take a seat, make a coffee and enjoy my article. Let’s go

Sample: click here to see it.

Analysing

First, always check sample information:

image

It’s PE32 executable and it’s Mono/.Net, from here we can use dnSpy to decompile it:

image

Yay it worked, and now it’s time for analysing. But yeah, it’s not easy as I thought…:

image

Almost all variables and function names were encrypted also the source code length was too big so it’s very hard to analyse it by hand. But we cannot stop here, if we cannot apply static analysing, let’s use dynamic analysing which is running the file to see its behaviours. I used any.run to run it and I got a good result:

image

  • The file will run MSBuild.exe process.
  • After run, a cmd.exe process will be established and it will run a command to self-delete, also run timeout.exe to delay execution:
    image

    image

  • While running that command, it will steal browser information:
    image

  • A C2 server was established when the file was run:
    image

    image

When I saw it, I was sure that all information that was stolen would be sent to Telegram, and also there’s a connection to Steam, it made me remember a technique is called DDR, a Vidar malware was used this technique before (you can check here)

IOCs

  • URL: hxxps[://]23[.]199[.]218[.]33 (Steam)
  • URL: hxxps[://]188[.]245[.]87[.]202 (Another C2 server was established)
  • URL: hxxps[://]149[.]154[.]167[.]99 (Telegram)

Conclusion

This type of malware is dangerous, especially the use of obfucation of malware payloads can make detection and analysis more challenging. It’s very important that don’t click or download any weird links or files, always update your computer to ensure that your firewall and all protection method inside will be updated! Last word, thank you very much for reading my article, as I’ve told you before, I’m just a newbie in Cyber Security and maybe my post can have mistakes so it’s very grateful that you give me advices for a better article! Thank you again and see you in the next post in the future, bye!!

all tags