stealc | 84da3a03933420160dd928675e81ca1e46b132aee69680e0aac5b297624ebc6d

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84da3a03933420160dd928675e81ca1e46b132aee69680e0aac5b297624ebc6d.exe
Size

359KB
MD5

6aae5ad15e0ee9da87ab30971373a029
SHA1

2dd9bf3ee10067d4c365926768e8ee9ed0a4ec3b
SHA256

84da3a03933420160dd928675e81ca1e46b132aee69680e0aac5b297624ebc6d
SHA512

aa978aa7b038fe958c97d3e8622bed7d3d914495dd4ca3c247638793a32bf788224adc55310d5f01069179711f1225c8d4c1f089fecfe88ede15b95db61ec83d
SSDEEP

6144:DagQdkTUGJXOjv5o1SDQBdmoclENDznZhnMU+YU+1P7p7K4UTi3r:mgSkTUGRODeBCEBthw+1P3Eor

Score

10^/10

stealc vidar stealer

Malware Config

Signatures

Detect Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2916-0-0x0000000000F40000-0x0000000000F9E000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2916-0-0x0000000000F40000-0x0000000000F9E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2916-0-0x0000000000F40000-0x0000000000F9E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Detects executables containing potential Windows Defender anti-emulation checks 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2916-0-0x0000000000F40000-0x0000000000F9E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3008 2916 WerFault.exe 84da3a03933420160dd928675e81ca1e46b132aee69680e0aac5b297624ebc6d.exe

pid	pid_target	process	target process
3008	2916	WerFault.exe	84da3a03933420160dd928675e81ca1e46b132aee69680e0aac5b297624ebc6d.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

84da3a03933420160dd928675e81ca1e46b132aee69680e0aac5b297624ebc6d.exe

description	pid	process	target process
PID 2916 wrote to memory of 3008	2916	84da3a03933420160dd928675e81ca1e46b132aee69680e0aac5b297624ebc6d.exe	WerFault.exe
PID 2916 wrote to memory of 3008	2916	84da3a03933420160dd928675e81ca1e46b132aee69680e0aac5b297624ebc6d.exe	WerFault.exe
PID 2916 wrote to memory of 3008	2916	84da3a03933420160dd928675e81ca1e46b132aee69680e0aac5b297624ebc6d.exe	WerFault.exe
PID 2916 wrote to memory of 3008	2916	84da3a03933420160dd928675e81ca1e46b132aee69680e0aac5b297624ebc6d.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\84da3a03933420160dd928675e81ca1e46b132aee69680e0aac5b297624ebc6d.exe
"C:\Users\Admin\AppData\Local\Temp\84da3a03933420160dd928675e81ca1e46b132aee69680e0aac5b297624ebc6d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 48
2⤵
- Program crash
PID:3008

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2916-0-0x0000000000F40000-0x0000000000F9E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads