stealc | 7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d

General

Target

7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d.exe
Size

2.0MB
MD5

4ef9f0830130c0681e0b4c6361e543ae
SHA1

50c02afe6cdd963f625c2a18a96c62a75abd5926
SHA256

7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d
SHA512

3f341dd59213dfad1385ead5549695f3cdb5c3bd1476cacae244bb4e8ceb342187fee1dd95c70cb1180804ab7439fb947c5639c978a390df3e2f786ee0e99287
SSDEEP

49152:s4K3x1vUSJtTF+TxMoxc1TU+j+dAzGwlrh:s4Ex18StIuoITsdZ

Score

10^/10

stealc vidar discovery spyware stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199689717899

https://t.me/copterwin

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

Detect Vidar Stealer 8 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/4684-1-0x0000000004240000-0x0000000004389000-memory.dmp	family_vidar_v7
behavioral1/memory/4128-4-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral1/memory/4128-8-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral1/memory/4128-10-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral1/memory/4128-17-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral1/memory/4128-18-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral1/memory/4128-35-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral1/memory/4128-36-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

katD2A2.tmp

pid process

4128 katD2A2.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4128	katD2A2.tmp

Suspicious use of SetThreadContext 1 IoCs

Processes:

7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d.exe

description	pid	process	target process
PID 4684 set thread context of 4128	4684	7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d.exe	katD2A2.tmp

Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

katD2A2.tmp

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString katD2A2.tmp
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

katD2A2.tmp

pid process

4128 katD2A2.tmp
4128 katD2A2.tmp

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	katD2A2.tmp

pid	process
4128	katD2A2.tmp
4128	katD2A2.tmp

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d.exe

description	pid	process	target process
PID 4684 wrote to memory of 4128	4684	7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d.exe	katD2A2.tmp
PID 4684 wrote to memory of 4128	4684	7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d.exe	katD2A2.tmp
PID 4684 wrote to memory of 4128	4684	7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d.exe	katD2A2.tmp
PID 4684 wrote to memory of 4128	4684	7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d.exe	katD2A2.tmp
PID 4684 wrote to memory of 4128	4684	7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d.exe	katD2A2.tmp
PID 4684 wrote to memory of 4128	4684	7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d.exe	katD2A2.tmp
PID 4684 wrote to memory of 4128	4684	7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d.exe	katD2A2.tmp
PID 4684 wrote to memory of 4128	4684	7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d.exe	katD2A2.tmp

C:\Users\Admin\AppData\Local\Temp\7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d.exe
"C:\Users\Admin\AppData\Local\Temp\7876dcdbde57a937e542bc0acc1246440d916bc0e8b36092df843cb3cb710d6d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4684

C:\Users\Admin\AppData\Local\Temp\katD2A2.tmp
C:\Users\Admin\AppData\Local\Temp\katD2A2.tmp
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3212 /prefetch:8
1⤵
PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\katD2A2.tmp

Filesize
861KB

MD5
66064dbdb70a5eb15ebf3bf65aba254b

SHA1
0284fd320f99f62aca800fb1251eff4c31ec4ed7

SHA256
6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

SHA512
b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

Download Submit
memory/4128-4-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4128-8-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4128-10-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4128-17-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4128-18-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4128-20-0x000000001B7C0000-0x000000001BA1F000-memory.dmp

Filesize
2.4MB

Download
memory/4128-35-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4128-36-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4684-0-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/4684-1-0x0000000004240000-0x0000000004389000-memory.dmp

Filesize
1.3MB

Download
memory/4684-9-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads