stealc | f954f818007b508badc400417584ae7726a71f4b697d8b1eb13184318ef1eda1

General

Target

f954f818007b508badc400417584ae7726a71f4b697d8b1eb13184318ef1eda1.exe
Size

36.1MB
MD5

ccacce8535f682dd67c701d9157ef218
SHA1

5f72f5e427590a0c5e184cb013d27cc3d1af265f
SHA256

f954f818007b508badc400417584ae7726a71f4b697d8b1eb13184318ef1eda1
SHA512

ea0816462acc433c02800f43f7d979db68d2ec78e075e2d9f0a776b9ba24b5e27ad36d9e1bab0f0276585de422b42553b2fc9c1e2571e50861bd2fd66a6ce576
SSDEEP

393216:B1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYf6:BMguj8Q4VfvfqFTrYx

Score

10^/10

stealc vidar discovery execution spyware stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

http://88.198.124.82:80

https://steamcommunity.com/profiles/76561199689717899

https://t.me/copterwin

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3868-38-0x0000000002470000-0x00000000026B6000-memory.dmp	family_vidar_v7
behavioral2/memory/3868-40-0x0000000002470000-0x00000000026B6000-memory.dmp	family_vidar_v7
behavioral2/memory/3868-56-0x0000000002470000-0x00000000026B6000-memory.dmp	family_vidar_v7
behavioral2/memory/3868-57-0x0000000002470000-0x00000000026B6000-memory.dmp	family_vidar_v7
behavioral2/memory/3868-73-0x0000000002470000-0x00000000026B6000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4324 powershell.exe
Downloads MZ/PE file

pid	process
4324	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f954f818007b508badc400417584ae7726a71f4b697d8b1eb13184318ef1eda1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	f954f818007b508badc400417584ae7726a71f4b697d8b1eb13184318ef1eda1.exe

Executes dropped EXE 1 IoCs

Processes:

payload_pump_em7G.exe

pid process

3868 payload_pump_em7G.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

payload_pump_em7G.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString payload_pump_em7G.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepayload_pump_em7G.exe

pid process

4324 powershell.exe
4324 powershell.exe
3868 payload_pump_em7G.exe
3868 payload_pump_em7G.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4324 powershell.exe

pid	process
3868	payload_pump_em7G.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	payload_pump_em7G.exe

pid	process
4324	powershell.exe
4324	powershell.exe
3868	payload_pump_em7G.exe
3868	payload_pump_em7G.exe

description	pid	process
Token: SeDebugPrivilege	4324	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f954f818007b508badc400417584ae7726a71f4b697d8b1eb13184318ef1eda1.execmd.exepowershell.exe

description	pid	process	target process
PID 3076 wrote to memory of 2924	3076	f954f818007b508badc400417584ae7726a71f4b697d8b1eb13184318ef1eda1.exe	cmd.exe
PID 3076 wrote to memory of 2924	3076	f954f818007b508badc400417584ae7726a71f4b697d8b1eb13184318ef1eda1.exe	cmd.exe
PID 2924 wrote to memory of 4324	2924	cmd.exe	powershell.exe
PID 2924 wrote to memory of 4324	2924	cmd.exe	powershell.exe
PID 4324 wrote to memory of 3868	4324	powershell.exe	payload_pump_em7G.exe
PID 4324 wrote to memory of 3868	4324	powershell.exe	payload_pump_em7G.exe
PID 4324 wrote to memory of 3868	4324	powershell.exe	payload_pump_em7G.exe

C:\Users\Admin\AppData\Local\Temp\f954f818007b508badc400417584ae7726a71f4b697d8b1eb13184318ef1eda1.exe
"C:\Users\Admin\AppData\Local\Temp\f954f818007b508badc400417584ae7726a71f4b697d8b1eb13184318ef1eda1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -Command "& { . 'C:\Users\Admin\AppData\Local\UrnHmLBtCG\NySx.ps1'; StartWork -path "C:\Users\Admin\AppData\Local\NNTcevcJgp\qhaWH\payload_pump_em7G.exe" }" -WindowStyle Hidden"
2⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command "& { . 'C:\Users\Admin\AppData\Local\UrnHmLBtCG\NySx.ps1'; StartWork -path "C:\Users\Admin\AppData\Local\NNTcevcJgp\qhaWH\payload_pump_em7G.exe" }" -WindowStyle Hidden
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\NNTcevcJgp\qhaWH\payload_pump_em7G.exe
"C:\Users\Admin\AppData\Local\NNTcevcJgp\qhaWH\payload_pump_em7G.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ray5h3q.jdu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\UrnHmLBtCG\NySx.ps1

Filesize
219B

MD5
1cb2937ab3795e2d9c46d63df6751b4b

SHA1
29097d56ac7d84574f94aaeca7f959a0eb7ca3b8

SHA256
883f3f7577ed43fb2ac7a9c3dabb346b190aecc06b680de0419981ea5906e8f4

SHA512
bed002de458e93fca23e0661feebafb69dcc23aaf5da982adf2386fdca00715667290a050be869046c38921cb02a97ba03904cc4ee3869f04d7e4a765f12db2e

Download Submit
memory/3868-29-0x0000000002240000-0x000000000224A000-memory.dmp

Filesize
40KB

Download
memory/3868-28-0x0000000002240000-0x000000000224A000-memory.dmp

Filesize
40KB

Download
memory/3868-73-0x0000000002470000-0x00000000026B6000-memory.dmp

Filesize
2.3MB

Download
memory/3868-57-0x0000000002470000-0x00000000026B6000-memory.dmp

Filesize
2.3MB

Download
memory/3868-33-0x0000000002260000-0x0000000002264000-memory.dmp

Filesize
16KB

Download
memory/3868-32-0x0000000002260000-0x0000000002264000-memory.dmp

Filesize
16KB

Download
memory/3868-31-0x0000000002250000-0x0000000002257000-memory.dmp

Filesize
28KB

Download
memory/3868-30-0x0000000002250000-0x0000000002257000-memory.dmp

Filesize
28KB

Download
memory/3868-56-0x0000000002470000-0x00000000026B6000-memory.dmp

Filesize
2.3MB

Download
memory/3868-43-0x0000000010000000-0x000000001025F000-memory.dmp

Filesize
2.4MB

Download
memory/3868-27-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/3868-35-0x0000000002270000-0x0000000002289000-memory.dmp

Filesize
100KB

Download
memory/3868-34-0x0000000002270000-0x0000000002289000-memory.dmp

Filesize
100KB

Download
memory/3868-38-0x0000000002470000-0x00000000026B6000-memory.dmp

Filesize
2.3MB

Download
memory/3868-40-0x0000000002470000-0x00000000026B6000-memory.dmp

Filesize
2.3MB

Download
memory/4324-39-0x00007FFC08A60000-0x00007FFC09521000-memory.dmp

Filesize
10.8MB

Download
memory/4324-23-0x000002074E240000-0x000002074E262000-memory.dmp

Filesize
136KB

Download
memory/4324-11-0x00007FFC08A63000-0x00007FFC08A65000-memory.dmp

Filesize
8KB

Download
memory/4324-21-0x00007FFC08A60000-0x00007FFC09521000-memory.dmp

Filesize
10.8MB

Download
memory/4324-22-0x00007FFC08A60000-0x00007FFC09521000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads