stealc | 716b19201a3109a3fb15b0401cb86a9be6df726c8b3a1a1c88cefb445457966b

Analysis

max time kernel
55s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

359KB
MD5

b898ced2e152060f5770f1c6337006f6
SHA1

b607705b76412adecc350bd38994d94ca3870f5a
SHA256

716b19201a3109a3fb15b0401cb86a9be6df726c8b3a1a1c88cefb445457966b
SHA512

4abd4a0c23f8d92c722246cab49797a840ebfd3cd4b900ba310ff243c529149b887620cfee3241c1605e1ae5dab501ee17a8d4de0634c8c52792677b107029a7
SSDEEP

6144:YSgQdkTUGJXOjv5o1SDQadvOKfj7RG77sxEPqwt4vg51O+CNkvtPUavkb3eXr:1gSkTUGRODeaMKLtGfWLwCvRk1PJoeXr

Score

10^/10

stealc vidar 03cea2609023d13f145ac6c5dc897112 stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

Version

9.3

Botnet

03cea2609023d13f145ac6c5dc897112

https://steamcommunity.com/profiles/76561199680449169

https://t.me/r1g1o

Attributes

profile_id_v2
03cea2609023d13f145ac6c5dc897112
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4076-0-0x00000000009A0000-0x00000000009FE000-memory.dmp	family_vidar_v7
behavioral2/memory/4076-2-0x00000000009A0000-0x00000000009FE000-memory.dmp	family_vidar_v7
behavioral2/memory/2664-1-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2664-6-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2664-5-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 4076 set thread context of 2664 4076 file.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3888 2664 WerFault.exe RegAsm.exe

description	pid	process	target process
PID 4076 set thread context of 2664	4076	file.exe	RegAsm.exe

pid	pid_target	process	target process
3888	2664	WerFault.exe	RegAsm.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

file.exe

description	pid	process	target process
PID 4076 wrote to memory of 2664	4076	file.exe	RegAsm.exe
PID 4076 wrote to memory of 2664	4076	file.exe	RegAsm.exe
PID 4076 wrote to memory of 2664	4076	file.exe	RegAsm.exe
PID 4076 wrote to memory of 2664	4076	file.exe	RegAsm.exe
PID 4076 wrote to memory of 2664	4076	file.exe	RegAsm.exe
PID 4076 wrote to memory of 2664	4076	file.exe	RegAsm.exe
PID 4076 wrote to memory of 2664	4076	file.exe	RegAsm.exe
PID 4076 wrote to memory of 2664	4076	file.exe	RegAsm.exe
PID 4076 wrote to memory of 2664	4076	file.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1448
3⤵
- Program crash
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2664 -ip 2664
1⤵
PID:4548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2664-1-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2664-6-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2664-5-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4076-0-0x00000000009A0000-0x00000000009FE000-memory.dmp

Filesize
376KB

Download
memory/4076-2-0x00000000009A0000-0x00000000009FE000-memory.dmp

Filesize
376KB

Download