stealc | 84da3a03933420160dd928675e81ca1e46b132aee69680e0aac5b297624ebc6d

Analysis

max time kernel
66s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

359KB
MD5

6aae5ad15e0ee9da87ab30971373a029
SHA1

2dd9bf3ee10067d4c365926768e8ee9ed0a4ec3b
SHA256

84da3a03933420160dd928675e81ca1e46b132aee69680e0aac5b297624ebc6d
SHA512

aa978aa7b038fe958c97d3e8622bed7d3d914495dd4ca3c247638793a32bf788224adc55310d5f01069179711f1225c8d4c1f089fecfe88ede15b95db61ec83d
SSDEEP

6144:DagQdkTUGJXOjv5o1SDQBdmoclENDznZhnMU+YU+1P7p7K4UTi3r:mgSkTUGRODeBCEBthw+1P3Eor

Score

10^/10

stealc vidar 03cea2609023d13f145ac6c5dc897112 stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

Version

9.3

Botnet

03cea2609023d13f145ac6c5dc897112

https://steamcommunity.com/profiles/76561199680449169

https://t.me/r1g1o

Attributes

profile_id_v2
03cea2609023d13f145ac6c5dc897112
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4952-0-0x00000000007B0000-0x000000000080E000-memory.dmp	family_vidar_v7
behavioral2/memory/4088-1-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-2-0x00000000007B0000-0x000000000080E000-memory.dmp	family_vidar_v7
behavioral2/memory/4088-4-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4088-6-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 4952 set thread context of 4088 4952 file.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4644 4088 WerFault.exe RegAsm.exe

description	pid	process	target process
PID 4952 set thread context of 4088	4952	file.exe	RegAsm.exe

pid	pid_target	process	target process
4644	4088	WerFault.exe	RegAsm.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

file.exe

description	pid	process	target process
PID 4952 wrote to memory of 4088	4952	file.exe	RegAsm.exe
PID 4952 wrote to memory of 4088	4952	file.exe	RegAsm.exe
PID 4952 wrote to memory of 4088	4952	file.exe	RegAsm.exe
PID 4952 wrote to memory of 4088	4952	file.exe	RegAsm.exe
PID 4952 wrote to memory of 4088	4952	file.exe	RegAsm.exe
PID 4952 wrote to memory of 4088	4952	file.exe	RegAsm.exe
PID 4952 wrote to memory of 4088	4952	file.exe	RegAsm.exe
PID 4952 wrote to memory of 4088	4952	file.exe	RegAsm.exe
PID 4952 wrote to memory of 4088	4952	file.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1468
3⤵
- Program crash
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4088 -ip 4088
1⤵
PID:684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4088-1-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4088-4-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4088-6-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4952-0-0x00000000007B0000-0x000000000080E000-memory.dmp

Filesize
376KB

Download
memory/4952-2-0x00000000007B0000-0x000000000080E000-memory.dmp

Filesize
376KB

Download