Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec435c31e94637e212d3cd3826e3f967a6da455e3d5faddaca116df8f93d719f.exe

  • Size

    2.0MB

  • MD5

    86e327a5dc4e11879b1252df94fe1224

  • SHA1

    c5a28d8218a07521856c71d10c0ba434276f54e2

  • SHA256

    ec435c31e94637e212d3cd3826e3f967a6da455e3d5faddaca116df8f93d719f

  • SHA512

    f61117e86c9c811cc96b47fd2160476b0b2c2946981e2ae3608d53abbd563c7aab8e0f5163fc29324d8b8fe08ae06ba2859339f3861d73223ae5a1f0baafc79a

  • SSDEEP

    49152:s4K3x1vUWJtTF+TxMoxc1TU+j+dAzGwlrh:s4Ex18WtIuoITsdZ

Score
10/10
stealcvidardiscoveryspywarestealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199689717899

https://t.me/copterwin
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

  • Detect Vidar Stealer 8 IoCs
    stealer
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec435c31e94637e212d3cd3826e3f967a6da455e3d5faddaca116df8f93d719f.exe
    "C:\Users\Admin\AppData\Local\Temp\ec435c31e94637e212d3cd3826e3f967a6da455e3d5faddaca116df8f93d719f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Users\Admin\AppData\Local\Temp\katE8D9.tmp
      C:\Users\Admin\AppData\Local\Temp\katE8D9.tmp
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2276
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4584,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
    1⤵
      PID:2144

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\katE8D9.tmp
      Filesize

      861KB

      MD5

      66064dbdb70a5eb15ebf3bf65aba254b

      SHA1

      0284fd320f99f62aca800fb1251eff4c31ec4ed7

      SHA256

      6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

      SHA512

      b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

      Download Submit

    • memory/2276-4-0x0000000000400000-0x0000000000646000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2276-9-0x0000000000400000-0x0000000000646000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2276-8-0x0000000000400000-0x0000000000646000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2276-17-0x0000000000400000-0x0000000000646000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2276-18-0x0000000000400000-0x0000000000646000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2276-20-0x000000001B750000-0x000000001B9AF000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2276-35-0x0000000000400000-0x0000000000646000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2276-36-0x0000000000400000-0x0000000000646000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/4464-0-0x00000000006D0000-0x00000000006D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4464-1-0x0000000004100000-0x0000000004249000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4464-10-0x0000000000400000-0x000000000060C000-memory.dmp

      Filesize

      2.0MB

      Download