Overview

overview

10

Static

static

1

GID Kosten...n.xlsx

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    GID Kostenkalkulation.xlsx

  • Size

    18KB

  • Sample

    240525-1kzwssca52

  • MD5

    40924389dc9331074cfefebad5c9d143

  • SHA1

    34452ee0a2fbe130c63986e776b00de4de58036f

  • SHA256

    e0873dd6fa528c110ac90261a7a9e28d93744a6c3d0416b96db0821d5051e3d2

  • SHA512

    2c5a3822d68f852e8a0556d3656e2d678c741f512649a7e4aae91540ad71ce5fd4a43e38458b08f7e14f5fd5bb70268ceb642b46ae03e04683498a33a75c90b3

  • SSDEEP

    384:0PJwxuNNoSWjEKGXa2PAw7bT/52My3YLCoIM+:mJwcNuSzKga2Zb/SILCoB+

Score
10/10
stealcvidarbootkitdiscoverypersistencespywarestealer

Malware Config

Extracted

Family

stealc

rc4.plain

Targets

    • Target

      GID Kostenkalkulation.xlsx

    • Size

      18KB

    • MD5

      40924389dc9331074cfefebad5c9d143

    • SHA1

      34452ee0a2fbe130c63986e776b00de4de58036f

    • SHA256

      e0873dd6fa528c110ac90261a7a9e28d93744a6c3d0416b96db0821d5051e3d2

    • SHA512

      2c5a3822d68f852e8a0556d3656e2d678c741f512649a7e4aae91540ad71ce5fd4a43e38458b08f7e14f5fd5bb70268ceb642b46ae03e04683498a33a75c90b3

    • SSDEEP

      384:0PJwxuNNoSWjEKGXa2PAw7bT/52My3YLCoIM+:mJwcNuSzKga2Zb/SILCoB+

    Score
    10/10
    stealcvidarbootkitdiscoverypersistencespywarestealer

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks