Overview

overview

10

Static

static

10

d959891593...11.exe

windows7-x64

9

d959891593...11.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411.exe

  • Size

    4.8MB

  • Sample

    240525-chgensba85

  • MD5

    3d5d6485af7cd75f9cb1284a35e70f97

  • SHA1

    511388b6ef0247a952580e1aaa70e6e7646e35fb

  • SHA256

    d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411

  • SHA512

    c4340c7947b23b83c8acb2a08fdc599ad24fc891d9ac81e6b98b00509a681266d2f390cf7f10123504b4bffdf77a0108cd6249ca7272ac4f4bcd0d106b406e4a

  • SSDEEP

    98304:pSnTPjsgAvcAbjUTRl92dXeYbFhGLhWQDf6Z1a51:pSnT7bAEAbjUvoDhGLAaj

Score
10/10
stealcvidarspywarestealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199689717899

https://t.me/copterwin
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Targets

    • Target

      d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411.exe

    • Size

      4.8MB

    • MD5

      3d5d6485af7cd75f9cb1284a35e70f97

    • SHA1

      511388b6ef0247a952580e1aaa70e6e7646e35fb

    • SHA256

      d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411

    • SHA512

      c4340c7947b23b83c8acb2a08fdc599ad24fc891d9ac81e6b98b00509a681266d2f390cf7f10123504b4bffdf77a0108cd6249ca7272ac4f4bcd0d106b406e4a

    • SSDEEP

      98304:pSnTPjsgAvcAbjUTRl92dXeYbFhGLhWQDf6Z1a51:pSnT7bAEAbjUvoDhGLAaj

    Score
    10/10
    stealcvidarspywarestealer

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables containing potential Windows Defender anti-emulation checks

    • Detects executables packed with Dotfuscator

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks