stealc | 7d1aacb2de98d1e3e8fe87c782e896b92cf80b259f6a7d7246820b355ac0f943

General

Target

Setup.exe
Size

10.1MB
MD5

4f298e579a73803f788734a78cd1a067
SHA1

0e64e60763e65ce46c9a2ffaf1dcb7694e060575
SHA256

7d1aacb2de98d1e3e8fe87c782e896b92cf80b259f6a7d7246820b355ac0f943
SHA512

fd8fcbd9f0c2f9098371eb45463c9bf42b257b23ec8c9e8e79fd524786f29c61577414989b60334646b992a3f5116e03ed92b99ff51902e3657fa254b6fc06db
SSDEEP

196608:6cSu3XxiLS7jUJjRas3w+8wB6+d02F185c12dtkUoQ2kFl2ZnG46zsI7f1wGoO:/SuHxqS7Sdas3wHz+uM18i12dtkUTRl5

Score

10^/10

stealc vidar stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Signatures

Detect Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2700-26-0x0000000000990000-0x00000000010DA000-memory.dmp	family_vidar_v7
behavioral1/memory/2700-35-0x0000000000990000-0x00000000010DA000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Loads dropped DLL 9 IoCs

Processes:

comp.exeXDD.au3WerFault.exe

pid process

1932 comp.exe
2700 XDD.au3
2592 WerFault.exe
2592 WerFault.exe
2592 WerFault.exe
2592 WerFault.exe
2592 WerFault.exe
2592 WerFault.exe
2592 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 2924 set thread context of 1932 2924 Setup.exe comp.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2592 2700 WerFault.exe XDD.au3
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.execomp.exe

pid process

2924 Setup.exe
2924 Setup.exe
1932 comp.exe
1932 comp.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.execomp.exe

pid process

2924 Setup.exe
1932 comp.exe

pid	process
1932	comp.exe
2700	XDD.au3
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe

description	pid	process	target process
PID 2924 set thread context of 1932	2924	Setup.exe	comp.exe

pid	pid_target	process	target process
2592	2700	WerFault.exe	XDD.au3

pid	process
2924	Setup.exe
2924	Setup.exe
1932	comp.exe
1932	comp.exe

pid	process
2924	Setup.exe
1932	comp.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Setup.execomp.exeXDD.au3

description	pid	process	target process
PID 2924 wrote to memory of 1932	2924	Setup.exe	comp.exe
PID 2924 wrote to memory of 1932	2924	Setup.exe	comp.exe
PID 2924 wrote to memory of 1932	2924	Setup.exe	comp.exe
PID 2924 wrote to memory of 1932	2924	Setup.exe	comp.exe
PID 2924 wrote to memory of 1932	2924	Setup.exe	comp.exe
PID 1932 wrote to memory of 2700	1932	comp.exe	XDD.au3
PID 1932 wrote to memory of 2700	1932	comp.exe	XDD.au3
PID 1932 wrote to memory of 2700	1932	comp.exe	XDD.au3
PID 1932 wrote to memory of 2700	1932	comp.exe	XDD.au3
PID 1932 wrote to memory of 2700	1932	comp.exe	XDD.au3
PID 1932 wrote to memory of 2700	1932	comp.exe	XDD.au3
PID 2700 wrote to memory of 2592	2700	XDD.au3	WerFault.exe
PID 2700 wrote to memory of 2592	2700	XDD.au3	WerFault.exe
PID 2700 wrote to memory of 2592	2700	XDD.au3	WerFault.exe
PID 2700 wrote to memory of 2592	2700	XDD.au3	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\comp.exe
C:\Windows\SysWOW64\comp.exe
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\XDD.au3
C:\Users\Admin\AppData\Local\Temp\XDD.au3
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 148
4⤵
- Loads dropped DLL
- Program crash
PID:2592

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\82b6cb1c
Filesize
6.7MB

MD5
79c84428129e577f90a46e1ca8c97197

SHA1
a4bff3a39ba004a65cfdc911d1c0f56ae248c647

SHA256
f99c106c9dac2077f8fbcb1fa55b4c6be4315ece789f0c03505b94817974a2c7

SHA512
96c37c758ab7c0836fc0f23d6876c5fd65226b3ebb670699b0b5bb325c36354d14dafa6f71961081930517b62cec4a5114e2feefc22f0555ad7647d9e848fcfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e8d1c59
Filesize
6.7MB

MD5
487e6e41cfaa4f393f3527ac141005d0

SHA1
9308ed8b726971d98a26b5175e4ad3bb9f17e0b1

SHA256
16e1c9fd054e44bf248701e347ceaef01b1b488e6c6ddaa9fcb6c006ef83d518

SHA512
d71a6f9460144c6a82378f00a986089907db9ce3ebd6f70e6c8ec3f3cf41b08caecceebc2702257c69389720ee67a72b9909ee7820a9e55e7ddd476e9099302b

Download Submit
\Users\Admin\AppData\Local\Temp\XDD.au3
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1932-14-0x00000000778A0000-0x0000000077A49000-memory.dmp

Filesize
1.7MB

Download
memory/1932-24-0x0000000074800000-0x0000000074974000-memory.dmp

Filesize
1.5MB

Download
memory/1932-20-0x0000000074800000-0x0000000074974000-memory.dmp

Filesize
1.5MB

Download
memory/1932-16-0x0000000074800000-0x0000000074974000-memory.dmp

Filesize
1.5MB

Download
memory/1932-12-0x0000000074800000-0x0000000074974000-memory.dmp

Filesize
1.5MB

Download
memory/2700-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2700-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2700-26-0x0000000000990000-0x00000000010DA000-memory.dmp

Filesize
7.3MB

Download
memory/2700-35-0x0000000000990000-0x00000000010DA000-memory.dmp

Filesize
7.3MB

Download
memory/2924-10-0x0000000074800000-0x0000000074974000-memory.dmp

Filesize
1.5MB

Download
memory/2924-9-0x0000000074800000-0x0000000074974000-memory.dmp

Filesize
1.5MB

Download
memory/2924-8-0x0000000074812000-0x0000000074814000-memory.dmp

Filesize
8KB

Download
memory/2924-7-0x00000000778A0000-0x0000000077A49000-memory.dmp

Filesize
1.7MB

Download
memory/2924-6-0x0000000074800000-0x0000000074974000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads