stealc | 26f4752c9c6e47f46a1542f0d3fb360cc90250b5106135c43d66ad096833b1c7

Analysis

max time kernel
139s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

387KB
MD5

7318bf9884fb2c2c5fd8cd433ec1365b
SHA1

ee3c29a40f2a55c915305535a1d9bd604d6ed2ee
SHA256

26f4752c9c6e47f46a1542f0d3fb360cc90250b5106135c43d66ad096833b1c7
SHA512

b3c024b70352d1c17fa0f475a0e2db28c58e106e4b4bbebbedc68b1d97dedab7fd8a7e562ccc38a77517a928094157fba91dcd64699419a784b35affc5f784e1
SSDEEP

12288:Xo+IGLAUh9pXNF4kay4y3tZioO65Q14XPi:lIUJrFayjTiIdf

Score

10^/10

stealc vidar 03cea2609023d13f145ac6c5dc897112 stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

Version

9.3

Botnet

03cea2609023d13f145ac6c5dc897112

https://steamcommunity.com/profiles/76561199680449169

https://t.me/r1g1o

Attributes

profile_id_v2
03cea2609023d13f145ac6c5dc897112
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0

Signatures

Detect Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1100-1-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/1100-5-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/1100-3-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4448-6-0x0000000000D50000-0x0000000000DB2953-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 4448 set thread context of 1100 4448 file.exe RegAsm.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5084 4448 WerFault.exe file.exe
3872 1100 WerFault.exe RegAsm.exe

description	pid	process	target process
PID 4448 set thread context of 1100	4448	file.exe	RegAsm.exe

pid	pid_target	process	target process
5084	4448	WerFault.exe	file.exe
3872	1100	WerFault.exe	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

file.exe

description	pid	process	target process
PID 4448 wrote to memory of 4736	4448	file.exe	RegAsm.exe
PID 4448 wrote to memory of 4736	4448	file.exe	RegAsm.exe
PID 4448 wrote to memory of 4736	4448	file.exe	RegAsm.exe
PID 4448 wrote to memory of 1100	4448	file.exe	RegAsm.exe
PID 4448 wrote to memory of 1100	4448	file.exe	RegAsm.exe
PID 4448 wrote to memory of 1100	4448	file.exe	RegAsm.exe
PID 4448 wrote to memory of 1100	4448	file.exe	RegAsm.exe
PID 4448 wrote to memory of 1100	4448	file.exe	RegAsm.exe
PID 4448 wrote to memory of 1100	4448	file.exe	RegAsm.exe
PID 4448 wrote to memory of 1100	4448	file.exe	RegAsm.exe
PID 4448 wrote to memory of 1100	4448	file.exe	RegAsm.exe
PID 4448 wrote to memory of 1100	4448	file.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1796
3⤵
- Program crash
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 304
2⤵
- Program crash
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4448 -ip 4448
1⤵
PID:492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1100 -ip 1100
1⤵
PID:2104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-1-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1100-5-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1100-3-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4448-0-0x0000000000DAE000-0x0000000000DB0000-memory.dmp

Filesize
8KB

Download
memory/4448-6-0x0000000000D50000-0x0000000000DB2953-memory.dmp

Filesize
394KB

Download