Overview

overview

10

Static

static

3

132289704d...d0.exe

windows7-x64

3

132289704d...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    132289704de81e5014306f192b09c97c0252ce3fcc72d981779085e7b9a61cd0.exe

  • Size

    1.9MB

  • MD5

    539811c87f4654f1665e9a49c5457066

  • SHA1

    f7b825496b715d84c2e87d8b60ebcf7505b6cd4c

  • SHA256

    132289704de81e5014306f192b09c97c0252ce3fcc72d981779085e7b9a61cd0

  • SHA512

    a654a2554828998ffd91fd60288fcf740813e129b2b375a42eaad049cd5bc7868a755e120a5b195f578eac9adde463f5c5b926e8f89a69122f697bb73e199e4d

  • SSDEEP

    49152:/fZTmjlVqD/zL8EDMGWUt9PZWQKzw65ZkzQuKAW1Db96jIt6:/xy3qD/zL8HUt9Ygq6MukPh

Score
10/10
stealcvidardiscoveryspywarestealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199689717899

https://t.me/copterwin
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

  • Detect Vidar Stealer 9 IoCs
    stealer
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Detect binaries embedding considerable number of MFA browser extension IDs. 8 IoCs
  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 8 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 9 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 8 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 9 IoCs
  • Detects executables containing potential Windows Defender anti-emulation checks 9 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\132289704de81e5014306f192b09c97c0252ce3fcc72d981779085e7b9a61cd0.exe
    "C:\Users\Admin\AppData\Local\Temp\132289704de81e5014306f192b09c97c0252ce3fcc72d981779085e7b9a61cd0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Checks computer location settings
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start "" "C:\ProgramData\JDHCBAEHJJ.exe"
        3⤵
        • Checks computer location settings
        PID:4384
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IJKKKFCFHCFI" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1660
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 10
          4⤵
          • Delays execution with timeout.exe
          PID:2852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/116-0-0x0000000000760000-0x0000000000761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/116-1-0x0000000000760000-0x0000000000761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/116-3-0x0000000000760000-0x0000000000761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3060-2-0x0000000000400000-0x000000000089E000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/3060-5-0x0000000000400000-0x000000000089E000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/3060-8-0x0000000000400000-0x000000000089E000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/3060-9-0x0000000000400000-0x000000000089E000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/3060-18-0x0000000000400000-0x000000000089E000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/3060-19-0x0000000000400000-0x000000000089E000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/3060-21-0x000000001B8C0000-0x000000001BB1F000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/3060-34-0x0000000000400000-0x000000000089E000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/3060-35-0x0000000000400000-0x000000000089E000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/3060-49-0x0000000000400000-0x000000000089E000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/3060-50-0x0000000000400000-0x000000000089E000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/3060-64-0x0000000000400000-0x000000000089E000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/3060-65-0x0000000000400000-0x000000000089E000-memory.dmp
    Filesize

    4.6MB

    Download