stealc | c1a01b10b2b9dad03d7e7e37e8e2f3b5028ac1a3f13f7bf574671c661a4e719a

Analysis

max time kernel
66s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

354KB
MD5

5e26f758424a931e10f47df3a5bd657b
SHA1

ff652da66f4c6e517f71a6bd12b7d13a4433950e
SHA256

c1a01b10b2b9dad03d7e7e37e8e2f3b5028ac1a3f13f7bf574671c661a4e719a
SHA512

1f7135903e57df3ff110eaee0700b64ea3d2ce865cbdeb3344c44d8d1fde34058e268f441bd74fc25c0a153c90019d8b1dce783372adb27276eeccac25176292
SSDEEP

6144:MnCfsH8qHTe98nOBgYxMG+HW0ArXht8z+T15dJ4aYaOinN4Xq0UYc0ermz:MnmsH8swLxMGcQrRKz01lHOA4Xq0xVea

Score

10^/10

stealc vidar 03cea2609023d13f145ac6c5dc897112 stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

Version

9.3

Botnet

03cea2609023d13f145ac6c5dc897112

https://steamcommunity.com/profiles/76561199680449169

https://t.me/r1g1o

Attributes

profile_id_v2
03cea2609023d13f145ac6c5dc897112
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4460-0-0x0000000000710000-0x000000000076C000-memory.dmp	family_vidar_v7
behavioral2/memory/4384-1-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4460-3-0x0000000000710000-0x000000000076C000-memory.dmp	family_vidar_v7
behavioral2/memory/4384-7-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4384-5-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 4460 set thread context of 4384 4460 file.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1680 4384 WerFault.exe RegAsm.exe

description	pid	process	target process
PID 4460 set thread context of 4384	4460	file.exe	RegAsm.exe

pid	pid_target	process	target process
1680	4384	WerFault.exe	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

file.exe

description	pid	process	target process
PID 4460 wrote to memory of 2800	4460	file.exe	RegAsm.exe
PID 4460 wrote to memory of 2800	4460	file.exe	RegAsm.exe
PID 4460 wrote to memory of 2800	4460	file.exe	RegAsm.exe
PID 4460 wrote to memory of 4384	4460	file.exe	RegAsm.exe
PID 4460 wrote to memory of 4384	4460	file.exe	RegAsm.exe
PID 4460 wrote to memory of 4384	4460	file.exe	RegAsm.exe
PID 4460 wrote to memory of 4384	4460	file.exe	RegAsm.exe
PID 4460 wrote to memory of 4384	4460	file.exe	RegAsm.exe
PID 4460 wrote to memory of 4384	4460	file.exe	RegAsm.exe
PID 4460 wrote to memory of 4384	4460	file.exe	RegAsm.exe
PID 4460 wrote to memory of 4384	4460	file.exe	RegAsm.exe
PID 4460 wrote to memory of 4384	4460	file.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1484
3⤵
- Program crash
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4384 -ip 4384
1⤵
PID:972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4384-1-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4384-7-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4384-5-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4460-0-0x0000000000710000-0x000000000076C000-memory.dmp

Filesize
368KB

Download
memory/4460-3-0x0000000000710000-0x000000000076C000-memory.dmp

Filesize
368KB

Download