stealc | a651607b9bba24d9c35bde35df0c398a0c916fae71b9b4c37ed13b444a4ec629

Resubmissions

25/05/2024, 16:32

240525-t2a6faae9w 10

25/05/2024, 15:14

240525-smrdfagf9t 10

Analysis

max time kernel
143s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

10.1MB
MD5

1c57a22d32a4e973c63c90f84946149e
SHA1

98954b5054e5c4bb6e509bb34bf60b282f6efeea
SHA256

a651607b9bba24d9c35bde35df0c398a0c916fae71b9b4c37ed13b444a4ec629
SHA512

670216e4f8ef062e45dd9a7df0ce604b839f7e1e6eb51aeff6d95a96b12d882c1e50a0dc8e13df89e62cd3ea82031b385d254c5c0c807702b2d6e27e99617e6d
SSDEEP

196608:6cSu3XxiLS7jUJjRas3w+8wB6+d02F185c12dtkUoQ2kFl2ZnG46zsI7f1wGoO:/SuHxqS7Sdas3wHz+uM18i12dtkUTRl5

Score

10^/10

stealc vidar stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Signatures

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/2072-26-0x0000000000B20000-0x000000000126A000-memory.dmp	family_vidar_v7
behavioral1/memory/2072-35-0x0000000000B20000-0x000000000126A000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Loads dropped DLL 9 IoCs

pid	Process
940	comp.exe
2072	XDD.au3
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 940	2776	Setup.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2764	2072	WerFault.exe	32

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2776	Setup.exe
2776	Setup.exe
940	comp.exe
940	comp.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2776	Setup.exe
940	comp.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 940	2776	Setup.exe	28
PID 2776 wrote to memory of 940	2776	Setup.exe	28
PID 2776 wrote to memory of 940	2776	Setup.exe	28
PID 2776 wrote to memory of 940	2776	Setup.exe	28
PID 2776 wrote to memory of 940	2776	Setup.exe	28
PID 940 wrote to memory of 2072	940	comp.exe	32
PID 940 wrote to memory of 2072	940	comp.exe	32
PID 940 wrote to memory of 2072	940	comp.exe	32
PID 940 wrote to memory of 2072	940	comp.exe	32
PID 940 wrote to memory of 2072	940	comp.exe	32
PID 940 wrote to memory of 2072	940	comp.exe	32
PID 2072 wrote to memory of 2764	2072	XDD.au3	33
PID 2072 wrote to memory of 2764	2072	XDD.au3	33
PID 2072 wrote to memory of 2764	2072	XDD.au3	33
PID 2072 wrote to memory of 2764	2072	XDD.au3	33

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\comp.exe
  C:\Windows\SysWOW64\comp.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\XDD.au3
    C:\Users\Admin\AppData\Local\Temp\XDD.au3
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 148
      4⤵
      Loads dropped DLL
      Program crash
      PID:2764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1d407a93

Filesize
6.7MB

MD5
79c84428129e577f90a46e1ca8c97197

SHA1
a4bff3a39ba004a65cfdc911d1c0f56ae248c647

SHA256
f99c106c9dac2077f8fbcb1fa55b4c6be4315ece789f0c03505b94817974a2c7

SHA512
96c37c758ab7c0836fc0f23d6876c5fd65226b3ebb670699b0b5bb325c36354d14dafa6f71961081930517b62cec4a5114e2feefc22f0555ad7647d9e848fcfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d983948

Filesize
6.7MB

MD5
2cc29c1f0b44559c53b82e852c8acb35

SHA1
07848a4a809e6bb42b18740212cc8290f7c1b3bf

SHA256
f4788e7f7523c05215f48cf0767b141613af5181d247d2b7cadd6802d9025b7c

SHA512
3f8de8c30c4b4b59a0ea5f7fb6e38f1d16f2da1a17c3ba75516fac049a63de401c90ec767065d394e452ebf019de1b112a18155735d2ca4a02b5b293cc0533e4

Download Submit
\Users\Admin\AppData\Local\Temp\XDD.au3

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/940-14-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/940-24-0x0000000074790000-0x0000000074904000-memory.dmp

Filesize
1.5MB

Download
memory/940-19-0x0000000074790000-0x0000000074904000-memory.dmp

Filesize
1.5MB

Download
memory/940-16-0x0000000074790000-0x0000000074904000-memory.dmp

Filesize
1.5MB

Download
memory/940-12-0x0000000074790000-0x0000000074904000-memory.dmp

Filesize
1.5MB

Download
memory/2072-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2072-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2072-26-0x0000000000B20000-0x000000000126A000-memory.dmp

Filesize
7.3MB

Download
memory/2072-35-0x0000000000B20000-0x000000000126A000-memory.dmp

Filesize
7.3MB

Download
memory/2776-10-0x0000000074790000-0x0000000074904000-memory.dmp

Filesize
1.5MB

Download
memory/2776-8-0x00000000747A2000-0x00000000747A4000-memory.dmp

Filesize
8KB

Download
memory/2776-9-0x0000000074790000-0x0000000074904000-memory.dmp

Filesize
1.5MB

Download
memory/2776-7-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/2776-6-0x0000000074790000-0x0000000074904000-memory.dmp

Filesize
1.5MB

Download