Overview

overview

10

Static

static

7

setup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    setup.exe

  • Size

    2.8MB

  • Sample

    240511-wj8ebsac7v

  • MD5

    b27e51a6dc4065e25c5aabaf120aa463

  • SHA1

    43b49d435183b27dc6c9b06c596b3db8d92d9c49

  • SHA256

    83b0a9611b9bb5ebd1de0ea48d465705f2ad9e13af9dbc65d0c6c4b2a4081eb6

  • SHA512

    5c03d40300a6932d42beb18a57fde4285a86b8d8e4b44ec3cfeadf6fb137c8135313dd2f54e753b840b3a6e190f74deefbf79c7461d10ce9841dd54f47255efe

  • SSDEEP

    49152:CWz0ly6XP1/a/lRCK3qaKqqUVEIKQy9aO5ywJ/GmmFfltkFOxUy1Ep28TAWa:DzT6+XC6qa8IZhW/GmmFflHx7Sp2RW

Score
10/10
riseprostealcvidarzgrat681a223bec180ebfdc48547d3d5bd784evasionratspywarestealerthemidatrojan

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

Version

9.6

Botnet

681a223bec180ebfdc48547d3d5bd784

C2

https://steamcommunity.com/profiles/76561199681720597

https://t.me/talmatin
Attributes
  • profile_id_v2

    681a223bec180ebfdc48547d3d5bd784

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0

Targets

    • Target

      setup.exe

    • Size

      2.8MB

    • MD5

      b27e51a6dc4065e25c5aabaf120aa463

    • SHA1

      43b49d435183b27dc6c9b06c596b3db8d92d9c49

    • SHA256

      83b0a9611b9bb5ebd1de0ea48d465705f2ad9e13af9dbc65d0c6c4b2a4081eb6

    • SHA512

      5c03d40300a6932d42beb18a57fde4285a86b8d8e4b44ec3cfeadf6fb137c8135313dd2f54e753b840b3a6e190f74deefbf79c7461d10ce9841dd54f47255efe

    • SSDEEP

      49152:CWz0ly6XP1/a/lRCK3qaKqqUVEIKQy9aO5ywJ/GmmFfltkFOxUy1Ep28TAWa:DzT6+XC6qa8IZhW/GmmFflHx7Sp2RW

    Score
    10/10
    riseprostealcvidarzgrat681a223bec180ebfdc48547d3d5bd784evasionratspywarestealerthemidatrojan

    • Detect Vidar Stealer

      stealer

    • Detect ZGRat V1

    • Modifies firewall policy service

      evasion

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks