Overview

overview

10

Static

static

1

f954f81800...a1.exe

windows7-x64

1

f954f81800...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f954f818007b508badc400417584ae7726a71f4b697d8b1eb13184318ef1eda1.exe

  • Size

    36.1MB

  • MD5

    ccacce8535f682dd67c701d9157ef218

  • SHA1

    5f72f5e427590a0c5e184cb013d27cc3d1af265f

  • SHA256

    f954f818007b508badc400417584ae7726a71f4b697d8b1eb13184318ef1eda1

  • SHA512

    ea0816462acc433c02800f43f7d979db68d2ec78e075e2d9f0a776b9ba24b5e27ad36d9e1bab0f0276585de422b42553b2fc9c1e2571e50861bd2fd66a6ce576

  • SSDEEP

    393216:B1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYf6:BMguj8Q4VfvfqFTrYx

Score
10/10
stealcvidardiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

http://88.198.124.82:80

https://steamcommunity.com/profiles/76561199689717899

https://t.me/copterwin
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

  • Detect Vidar Stealer 5 IoCs
    stealer
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f954f818007b508badc400417584ae7726a71f4b697d8b1eb13184318ef1eda1.exe
    "C:\Users\Admin\AppData\Local\Temp\f954f818007b508badc400417584ae7726a71f4b697d8b1eb13184318ef1eda1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -Command "& { . 'C:\Users\Admin\AppData\Local\UrnHmLBtCG\NySx.ps1'; StartWork -path "C:\Users\Admin\AppData\Local\NNTcevcJgp\qhaWH\payload_pump_em7G.exe" }" -WindowStyle Hidden"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -ExecutionPolicy Bypass -Command "& { . 'C:\Users\Admin\AppData\Local\UrnHmLBtCG\NySx.ps1'; StartWork -path "C:\Users\Admin\AppData\Local\NNTcevcJgp\qhaWH\payload_pump_em7G.exe" }" -WindowStyle Hidden
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4324
        • C:\Users\Admin\AppData\Local\NNTcevcJgp\qhaWH\payload_pump_em7G.exe
          "C:\Users\Admin\AppData\Local\NNTcevcJgp\qhaWH\payload_pump_em7G.exe"
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:3868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ray5h3q.jdu.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\UrnHmLBtCG\NySx.ps1
    Filesize

    219B

    MD5

    1cb2937ab3795e2d9c46d63df6751b4b

    SHA1

    29097d56ac7d84574f94aaeca7f959a0eb7ca3b8

    SHA256

    883f3f7577ed43fb2ac7a9c3dabb346b190aecc06b680de0419981ea5906e8f4

    SHA512

    bed002de458e93fca23e0661feebafb69dcc23aaf5da982adf2386fdca00715667290a050be869046c38921cb02a97ba03904cc4ee3869f04d7e4a765f12db2e

    Download Submit
  • memory/3868-29-0x0000000002240000-0x000000000224A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3868-28-0x0000000002240000-0x000000000224A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3868-73-0x0000000002470000-0x00000000026B6000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/3868-57-0x0000000002470000-0x00000000026B6000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/3868-33-0x0000000002260000-0x0000000002264000-memory.dmp
    Filesize

    16KB

    Download
  • memory/3868-32-0x0000000002260000-0x0000000002264000-memory.dmp
    Filesize

    16KB

    Download
  • memory/3868-31-0x0000000002250000-0x0000000002257000-memory.dmp
    Filesize

    28KB

    Download
  • memory/3868-30-0x0000000002250000-0x0000000002257000-memory.dmp
    Filesize

    28KB

    Download
  • memory/3868-56-0x0000000002470000-0x00000000026B6000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/3868-43-0x0000000010000000-0x000000001025F000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/3868-27-0x0000000000400000-0x00000000004F2000-memory.dmp
    Filesize

    968KB

    Download
  • memory/3868-35-0x0000000002270000-0x0000000002289000-memory.dmp
    Filesize

    100KB

    Download
  • memory/3868-34-0x0000000002270000-0x0000000002289000-memory.dmp
    Filesize

    100KB

    Download
  • memory/3868-38-0x0000000002470000-0x00000000026B6000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/3868-40-0x0000000002470000-0x00000000026B6000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/4324-39-0x00007FFC08A60000-0x00007FFC09521000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4324-23-0x000002074E240000-0x000002074E262000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4324-11-0x00007FFC08A63000-0x00007FFC08A65000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4324-21-0x00007FFC08A60000-0x00007FFC09521000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4324-22-0x00007FFC08A60000-0x00007FFC09521000-memory.dmp
    Filesize

    10.8MB

    Download