stealc | a651607b9bba24d9c35bde35df0c398a0c916fae71b9b4c37ed13b444a4ec629

Resubmissions

25-05-2024 16:32

240525-t2a6faae9w 10

25-05-2024 15:14

240525-smrdfagf9t 10

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

10.1MB
MD5

1c57a22d32a4e973c63c90f84946149e
SHA1

98954b5054e5c4bb6e509bb34bf60b282f6efeea
SHA256

a651607b9bba24d9c35bde35df0c398a0c916fae71b9b4c37ed13b444a4ec629
SHA512

670216e4f8ef062e45dd9a7df0ce604b839f7e1e6eb51aeff6d95a96b12d882c1e50a0dc8e13df89e62cd3ea82031b385d254c5c0c807702b2d6e27e99617e6d
SSDEEP

196608:6cSu3XxiLS7jUJjRas3w+8wB6+d02F185c12dtkUoQ2kFl2ZnG46zsI7f1wGoO:/SuHxqS7Sdas3wHz+uM18i12dtkUTRl5

Score

10^/10

stealc vidar stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Signatures

Detect Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2860-26-0x0000000000A90000-0x00000000011DA000-memory.dmp	family_vidar_v7
behavioral1/memory/2860-35-0x0000000000A90000-0x00000000011DA000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Loads dropped DLL 9 IoCs

Processes:

comp.exeXDD.au3WerFault.exe

pid process

2156 comp.exe
2860 XDD.au3
2640 WerFault.exe
2640 WerFault.exe
2640 WerFault.exe
2640 WerFault.exe
2640 WerFault.exe
2640 WerFault.exe
2640 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 3020 set thread context of 2156 3020 Setup.exe comp.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2640 2860 WerFault.exe XDD.au3
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.execomp.exe

pid process

3020 Setup.exe
3020 Setup.exe
2156 comp.exe
2156 comp.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.execomp.exe

pid process

3020 Setup.exe
2156 comp.exe

pid	process
2156	comp.exe
2860	XDD.au3
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe

description	pid	process	target process
PID 3020 set thread context of 2156	3020	Setup.exe	comp.exe

pid	pid_target	process	target process
2640	2860	WerFault.exe	XDD.au3

pid	process
3020	Setup.exe
3020	Setup.exe
2156	comp.exe
2156	comp.exe

pid	process
3020	Setup.exe
2156	comp.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Setup.execomp.exeXDD.au3

description	pid	process	target process
PID 3020 wrote to memory of 2156	3020	Setup.exe	comp.exe
PID 3020 wrote to memory of 2156	3020	Setup.exe	comp.exe
PID 3020 wrote to memory of 2156	3020	Setup.exe	comp.exe
PID 3020 wrote to memory of 2156	3020	Setup.exe	comp.exe
PID 3020 wrote to memory of 2156	3020	Setup.exe	comp.exe
PID 2156 wrote to memory of 2860	2156	comp.exe	XDD.au3
PID 2156 wrote to memory of 2860	2156	comp.exe	XDD.au3
PID 2156 wrote to memory of 2860	2156	comp.exe	XDD.au3
PID 2156 wrote to memory of 2860	2156	comp.exe	XDD.au3
PID 2156 wrote to memory of 2860	2156	comp.exe	XDD.au3
PID 2156 wrote to memory of 2860	2156	comp.exe	XDD.au3
PID 2860 wrote to memory of 2640	2860	XDD.au3	WerFault.exe
PID 2860 wrote to memory of 2640	2860	XDD.au3	WerFault.exe
PID 2860 wrote to memory of 2640	2860	XDD.au3	WerFault.exe
PID 2860 wrote to memory of 2640	2860	XDD.au3	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\comp.exe
C:\Windows\SysWOW64\comp.exe
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\XDD.au3
C:\Users\Admin\AppData\Local\Temp\XDD.au3
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 148
4⤵
- Loads dropped DLL
- Program crash
PID:2640

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aade6a77
Filesize
6.7MB

MD5
79c84428129e577f90a46e1ca8c97197

SHA1
a4bff3a39ba004a65cfdc911d1c0f56ae248c647

SHA256
f99c106c9dac2077f8fbcb1fa55b4c6be4315ece789f0c03505b94817974a2c7

SHA512
96c37c758ab7c0836fc0f23d6876c5fd65226b3ebb670699b0b5bb325c36354d14dafa6f71961081930517b62cec4a5114e2feefc22f0555ad7647d9e848fcfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\b88ec466
Filesize
6.7MB

MD5
66fc948e9012358290663eb8317b500f

SHA1
5b1816022cd47616d5119e3fe00328166ff32a3c

SHA256
0b61a1dc2c84f927664e1a2ede0efb18000bd188c4f8440ad1fe8ce1b4cefef4

SHA512
0bfbd22da866fa0b8842ae0b01b6d043c04d1fa89613ee6112084a035fa6a19856f71e0f65a3e797c55a4de9962e8f9ac0bcd44023ccd174afda059220b59cc9

Download Submit
\Users\Admin\AppData\Local\Temp\XDD.au3
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2156-14-0x0000000077090000-0x0000000077239000-memory.dmp

Filesize
1.7MB

Download
memory/2156-24-0x0000000073FF0000-0x0000000074164000-memory.dmp

Filesize
1.5MB

Download
memory/2156-19-0x0000000073FF0000-0x0000000074164000-memory.dmp

Filesize
1.5MB

Download
memory/2156-16-0x0000000073FF0000-0x0000000074164000-memory.dmp

Filesize
1.5MB

Download
memory/2156-12-0x0000000073FF0000-0x0000000074164000-memory.dmp

Filesize
1.5MB

Download
memory/2860-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2860-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2860-26-0x0000000000A90000-0x00000000011DA000-memory.dmp

Filesize
7.3MB

Download
memory/2860-35-0x0000000000A90000-0x00000000011DA000-memory.dmp

Filesize
7.3MB

Download
memory/3020-10-0x0000000073FF0000-0x0000000074164000-memory.dmp

Filesize
1.5MB

Download
memory/3020-9-0x0000000073FF0000-0x0000000074164000-memory.dmp

Filesize
1.5MB

Download
memory/3020-8-0x0000000074002000-0x0000000074004000-memory.dmp

Filesize
8KB

Download
memory/3020-7-0x0000000077090000-0x0000000077239000-memory.dmp

Filesize
1.7MB

Download
memory/3020-6-0x0000000073FF0000-0x0000000074164000-memory.dmp

Filesize
1.5MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads