stealc | 37c0f05ee6421cb398999a569599c1b25880c8c58fb89c1256f9a93091337d59

Analysis

max time kernel
146s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
22/05/2024, 08:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37c0f05ee6421cb398999a569599c1b25880c8c58fb89c1256f9a93091337d59.exe
Size

2.1MB
MD5

7c6870f427c6c04597e8ab697826f01e
SHA1

77ac2d4e0ba3ef02967ea36c8d688535b101bccd
SHA256

37c0f05ee6421cb398999a569599c1b25880c8c58fb89c1256f9a93091337d59
SHA512

10ee334480fb6084c46026e0c18bca9acb06b3c91015f235357c51aa37eb6371a480adeb2ae765d058708e2470a6e4523d557c4c6899db9b4db8602c2c9b112b
SSDEEP

49152:N6uDuaS9refGcJtTF+TxMoxc1TU+j+dAzGwlrh:N6uKb9DctIuoITsdZ

Score

10^/10

stealc vidar discovery spyware stealer

Malware Config

Extracted

Family

stealc

rc4.plain

1
2910114286690104117195131148

Signatures

Detect Vidar Stealer 8 IoCs

stealer

resource	yara_rule
behavioral2/memory/2540-1-0x00000000040A0000-0x00000000041E9000-memory.dmp	family_vidar_v7
behavioral2/memory/1500-4-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral2/memory/1500-8-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral2/memory/1500-10-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral2/memory/1500-19-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral2/memory/1500-20-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral2/memory/1500-37-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral2/memory/1500-38-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1500	kat58FD.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 1500	2540	37c0f05ee6421cb398999a569599c1b25880c8c58fb89c1256f9a93091337d59.exe	81

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kat58FD.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1500	kat58FD.tmp
1500	kat58FD.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1500	2540	37c0f05ee6421cb398999a569599c1b25880c8c58fb89c1256f9a93091337d59.exe	81
PID 2540 wrote to memory of 1500	2540	37c0f05ee6421cb398999a569599c1b25880c8c58fb89c1256f9a93091337d59.exe	81
PID 2540 wrote to memory of 1500	2540	37c0f05ee6421cb398999a569599c1b25880c8c58fb89c1256f9a93091337d59.exe	81
PID 2540 wrote to memory of 1500	2540	37c0f05ee6421cb398999a569599c1b25880c8c58fb89c1256f9a93091337d59.exe	81
PID 2540 wrote to memory of 1500	2540	37c0f05ee6421cb398999a569599c1b25880c8c58fb89c1256f9a93091337d59.exe	81
PID 2540 wrote to memory of 1500	2540	37c0f05ee6421cb398999a569599c1b25880c8c58fb89c1256f9a93091337d59.exe	81
PID 2540 wrote to memory of 1500	2540	37c0f05ee6421cb398999a569599c1b25880c8c58fb89c1256f9a93091337d59.exe	81
PID 2540 wrote to memory of 1500	2540	37c0f05ee6421cb398999a569599c1b25880c8c58fb89c1256f9a93091337d59.exe	81

C:\Users\Admin\AppData\Local\Temp\37c0f05ee6421cb398999a569599c1b25880c8c58fb89c1256f9a93091337d59.exe
"C:\Users\Admin\AppData\Local\Temp\37c0f05ee6421cb398999a569599c1b25880c8c58fb89c1256f9a93091337d59.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\kat58FD.tmp
  C:\Users\Admin\AppData\Local\Temp\kat58FD.tmp
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1500

Network

DNS

steamcommunity.com

kat58FD.tmp

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

104.68.92.92
DNS

ctldl.windowsupdate.com

kat58FD.tmp

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.210.172

bg.microsoft.map.fastly.net

IN A

199.232.214.172
DNS

8.8.8.8.in-addr.arpa

kat58FD.tmp

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

ocsp.digicert.com

kat58FD.tmp

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
DNS

95.221.229.192.in-addr.arpa

kat58FD.tmp

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

nexusrules.officeapps.live.com

kat58FD.tmp

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.229.48
DNS

92.92.68.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.92.68.104.in-addr.arpa

IN PTR

Response

92.92.68.104.in-addr.arpa

IN PTR

a104-68-92-92deploystaticakamaitechnologiescom
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.210.172

bg.microsoft.map.fastly.net

IN A

199.232.214.172
DNS

self.events.data.microsoft.com

Remote address:

8.8.8.8:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdcus15.centralus.cloudapp.azure.com

onedscolprdcus15.centralus.cloudapp.azure.com

IN A

13.89.179.11
GET

https://78.47.123.174/

kat58FD.tmp

Remote address:

78.47.123.174:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 78.47.123.174
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 22 May 2024 08:30:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

174.123.47.78.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.123.47.78.in-addr.arpa

IN PTR

Response

174.123.47.78.in-addr.arpa

IN PTR

static1741234778clientsyour-serverde
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
POST

https://78.47.123.174/

kat58FD.tmp

Remote address:

78.47.123.174:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----GIECFIEGDBKJKFIDHIEC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 78.47.123.174
Content-Length: 279
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 22 May 2024 08:30:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://78.47.123.174/

kat58FD.tmp

Remote address:

78.47.123.174:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----JECAEHJJJKJKFIDGCBGI
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 78.47.123.174
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 22 May 2024 08:30:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://78.47.123.174/

kat58FD.tmp

Remote address:

78.47.123.174:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----FHDAFIIDAKJDGDHIDAKJ
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 78.47.123.174
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 22 May 2024 08:30:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://78.47.123.174/

kat58FD.tmp

Remote address:

78.47.123.174:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----BGDAAKJJDAAKFHJKJKFC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 78.47.123.174
Content-Length: 332
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 22 May 2024 08:30:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://78.47.123.174/

kat58FD.tmp

Remote address:

78.47.123.174:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----FBFIJJEBKEBFCBGDAEGD
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 78.47.123.174
Content-Length: 4677
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 22 May 2024 08:30:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

https://78.47.123.174/sqls.dll

kat58FD.tmp

Remote address:

78.47.123.174:443

Request

GET /sqls.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 78.47.123.174
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 22 May 2024 08:30:52 GMT
Content-Type: application/octet-stream
Content-Length: 2459136
Last-Modified: Sun, 19 May 2024 16:18:18 GMT
Connection: keep-alive
ETag: "664a264a-258600"
Accept-Ranges: bytes
POST

https://78.47.123.174/

kat58FD.tmp

Remote address:

78.47.123.174:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----GHDBKFHIJKJKECAAAECA
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Host: 78.47.123.174
Content-Length: 437
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 22 May 2024 08:30:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive

104.68.92.92:443

steamcommunity.com

tls

kat58FD.tmp

2.3kB
42.7kB
39
36
78.47.123.174:443

https://78.47.123.174/

tls, http

kat58FD.tmp

1.0kB
2.7kB
11
8

HTTP Request

GET https://78.47.123.174/

HTTP Response

200
78.47.123.174:443

https://78.47.123.174/

tls, http

kat58FD.tmp

1.4kB
622 B
9
6

HTTP Request

POST https://78.47.123.174/

HTTP Response

200
78.47.123.174:443

https://78.47.123.174/

tls, http

kat58FD.tmp

1.5kB
2.2kB
10
7

HTTP Request

POST https://78.47.123.174/

HTTP Response

200
78.47.123.174:443

https://78.47.123.174/

tls, http

kat58FD.tmp

1.6kB
6.3kB
13
10

HTTP Request

POST https://78.47.123.174/

HTTP Response

200
78.47.123.174:443

https://78.47.123.174/

tls, http

kat58FD.tmp

1.4kB
672 B
9
6

HTTP Request

POST https://78.47.123.174/

HTTP Response

200
78.47.123.174:443

https://78.47.123.174/

tls, http

kat58FD.tmp

6.0kB
605 B
13
7

HTTP Request

POST https://78.47.123.174/

HTTP Response

200
78.47.123.174:443

https://78.47.123.174/sqls.dll

tls, http

kat58FD.tmp

85.5kB
2.5MB
1831
1828

HTTP Request

GET https://78.47.123.174/sqls.dll

HTTP Response

200
78.47.123.174:443

https://78.47.123.174/

tls, http

kat58FD.tmp

1.5kB
528 B
8
5

HTTP Request

POST https://78.47.123.174/

HTTP Response

200

8.8.8.8:53

steamcommunity.com

dns

kat58FD.tmp

411 B
860 B
6
6

DNS Request

steamcommunity.com

DNS Response

104.68.92.92

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.210.172

199.232.214.172

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

ocsp.digicert.com

DNS Response

192.229.221.95

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.229.48
8.8.8.8:53

92.92.68.104.in-addr.arpa

dns

290 B
697 B
4
4

DNS Request

92.92.68.104.in-addr.arpa

DNS Request

172.210.232.199.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.210.172

199.232.214.172

DNS Request

self.events.data.microsoft.com

DNS Response

13.89.179.11
8.8.8.8:53

174.123.47.78.in-addr.arpa

dns

144 B
287 B
2
2

DNS Request

174.123.47.78.in-addr.arpa

DNS Request

48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kat58FD.tmp

Filesize
861KB

MD5
66064dbdb70a5eb15ebf3bf65aba254b

SHA1
0284fd320f99f62aca800fb1251eff4c31ec4ed7

SHA256
6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

SHA512
b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

Download Submit
memory/1500-4-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1500-8-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1500-10-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1500-19-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1500-20-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1500-22-0x00000000260E0000-0x000000002633F000-memory.dmp

Filesize
2.4MB

Download
memory/1500-37-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1500-38-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/2540-0-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2540-1-0x00000000040A0000-0x00000000041E9000-memory.dmp

Filesize
1.3MB

Download
memory/2540-9-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.