General

  • Target

    5d2153603e4b44738ce55836b93d9b8a6676dcb4b9acbef9a4e0a8d3b38d3abd.exe

  • Size

    2.1MB

  • Sample

    240523-bx9jbsgf9z

  • MD5

    e944a0bbd2b4eacf1c70e969db2f600a

  • SHA1

    1e3cc585110b19c62bda4dc3f76dc1ffa14f3775

  • SHA256

    5d2153603e4b44738ce55836b93d9b8a6676dcb4b9acbef9a4e0a8d3b38d3abd

  • SHA512

    fa0488fc8bdfc2cf22eca3170b1806c2caba933e396647a2ffc4728d14a620d3851393f4f0b5157daa5f9de864dda06192f75d952d0b8d41af04b299f7da7cca

  • SSDEEP

    49152:N6uDuaS9refuYJtTF+TxMoxc1TU+j+dAzGwlrh:N6uKb9DYtIuoITsdZ

Malware Config

Extracted

Family

stealc

rc4.plain

Targets

    • Target

      5d2153603e4b44738ce55836b93d9b8a6676dcb4b9acbef9a4e0a8d3b38d3abd.exe

    • Size

      2.1MB

    • MD5

      e944a0bbd2b4eacf1c70e969db2f600a

    • SHA1

      1e3cc585110b19c62bda4dc3f76dc1ffa14f3775

    • SHA256

      5d2153603e4b44738ce55836b93d9b8a6676dcb4b9acbef9a4e0a8d3b38d3abd

    • SHA512

      fa0488fc8bdfc2cf22eca3170b1806c2caba933e396647a2ffc4728d14a620d3851393f4f0b5157daa5f9de864dda06192f75d952d0b8d41af04b299f7da7cca

    • SSDEEP

      49152:N6uDuaS9refuYJtTF+TxMoxc1TU+j+dAzGwlrh:N6uKb9DYtIuoITsdZ

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables containing potential Windows Defender anti-emulation checks

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks