Overview

overview

10

Static

static

3

42f7ec36e0...0d.exe

windows7-x64

3

42f7ec36e0...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42f7ec36e07bca91cfa99c9b5a1643a7674e4af4c93905a993eab902e0bfa70d.exe

  • Size

    355KB

  • MD5

    8a848d90a8d7a8c79b80d2dd8d330d9d

  • SHA1

    6694c6e16123598f1665b7c68da40fd342e683fa

  • SHA256

    42f7ec36e07bca91cfa99c9b5a1643a7674e4af4c93905a993eab902e0bfa70d

  • SHA512

    d67683611a368964d4dbc2ed85c9c458e5502cc8fb50608ef184cdb574e55636f800c471f8224b1fe82874175f9802d07a8dacdac5eeb73bd72a35bb7b71d54e

  • SSDEEP

    6144:FHAqyjjclaS6sR38CS0iD7RjPyvB7m2Rx6PLfciHid4Fwem:JAqyjjmK06ByZ7m2yee

Score
10/10
stealcvidardiscoveryspywarestealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199689717899

https://t.me/copterwin
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

  • Detect Vidar Stealer 11 IoCs
    stealer
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Detect binaries embedding considerable number of MFA browser extension IDs. 8 IoCs
  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 8 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 11 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 8 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 11 IoCs
  • Detects executables containing potential Windows Defender anti-emulation checks 11 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42f7ec36e07bca91cfa99c9b5a1643a7674e4af4c93905a993eab902e0bfa70d.exe
    "C:\Users\Admin\AppData\Local\Temp\42f7ec36e07bca91cfa99c9b5a1643a7674e4af4c93905a993eab902e0bfa70d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4016
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:4748
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Checks computer location settings
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4804
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HJKECAAAFHJE" & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3352
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 10
            4⤵
            • Delays execution with timeout.exe
            PID:448

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Unsecured Credentials

    4
    T1552

    Credentials In Files

    4
    T1552.001

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    4
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4016-0-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4016-1-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4016-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4804-2-0x0000000000400000-0x0000000000646000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/4804-5-0x0000000000400000-0x0000000000646000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/4804-7-0x0000000000400000-0x0000000000646000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/4804-11-0x0000000000400000-0x0000000000646000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/4804-12-0x0000000000400000-0x0000000000646000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/4804-14-0x000000001BA00000-0x000000001BC5F000-memory.dmp
      Filesize

      2.4MB

      Download
    • memory/4804-29-0x0000000000400000-0x0000000000646000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/4804-30-0x0000000000400000-0x0000000000646000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/4804-46-0x0000000000400000-0x0000000000646000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/4804-47-0x0000000000400000-0x0000000000646000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/4804-58-0x0000000000400000-0x0000000000646000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/4804-59-0x0000000000400000-0x0000000000646000-memory.dmp
      Filesize

      2.3MB

      Download