Overview

overview

10

Static

static

3

AmsterdamC...TD.exe

windows10-1703-x64

10

Lib/distut...64.exe

windows10-1703-x64

1

Lib/distut....0.exe

windows10-1703-x64

1

Lib/distut...64.exe

windows10-1703-x64

1

Lib/distut....0.exe

windows10-1703-x64

1

Lib/distut....0.exe

windows10-1703-x64

1

Lib/distut....1.exe

windows10-1703-x64

1

Lib/distut....0.exe

windows10-1703-x64

1

Lib/distut...64.exe

windows10-1703-x64

1

Lib/distut....0.exe

windows10-1703-x64

1

Lib/email/charset.py

windows10-1703-x64

3

pythonw.exe

windows10-1703-x64

1

setup.bat

windows10-1703-x64

10

Resubmissions

29/05/2024, 02:26

240529-cw2mrsfg27 10

29/05/2024, 01:19

240529-bpjmyadc72 10

Analysis

  • max time kernel
    126s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29/05/2024, 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.bat

  • Size

    119B

  • MD5

    01c6147fe212bd1a211b47885bd51574

  • SHA1

    8e2eb02209e29734eda19a589a3586fdcae2869b

  • SHA256

    762807919a78fcd34ab1be1d88eceb93248b567aa294eecdd9ed0a80e865977c

  • SHA512

    abab3abb01487b50a329e12668898ef29d921c35357cf9b2fce4dd9039df126d7c74c828582f35e19fdfd8ddcbeca76925eaa9b7823005b8743ce233b6b1e9cf

Score
10/10
stealcvidarspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    193.149.189.199
  • Port:
    21
  • Username:
    ins
  • Password:
    installer

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199689717899

https://t.me/copterwin
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

  • Detect Vidar Stealer 10 IoCs
    stealer
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\setup.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\pythonw.exe
      pythonw.exe server.dll
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3764
      • C:\Users\Admin\AppData\Local\Temp\pythonw.exe
        "pythonw.exe"
        3⤵
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:228
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HDAFIIDAKJDG" & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4172
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 10
            5⤵
            • Delays execution with timeout.exe
            PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/228-89-0x0000000000400000-0x0000000000646000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/228-91-0x0000000000400000-0x0000000000646000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/228-92-0x0000000000400000-0x0000000000646000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/228-98-0x0000000000400000-0x0000000000646000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/228-99-0x0000000000400000-0x0000000000646000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/228-101-0x00000000192D0000-0x000000001952F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/228-116-0x0000000000400000-0x0000000000646000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/228-117-0x0000000000400000-0x0000000000646000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/228-129-0x0000000000400000-0x0000000000646000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/228-130-0x0000000000400000-0x0000000000646000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/228-131-0x0000000000400000-0x0000000000646000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3764-88-0x0000000000C60000-0x0000000000C61000-memory.dmp

    Filesize

    4KB

    Download