Overview

overview

10

Static

static

1

ver3_appfile.rar

windows11-21h2-x64

10

Resubmissions

03-06-2024 03:27

240603-dz99raah93 10

03-06-2024 03:24

240603-dycbbshd9y 3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ver3_appfile.rar

  • Size

    6.9MB

  • Sample

    240603-dz99raah93

  • MD5

    70a4b0088163ebb0805eeff9bc766658

  • SHA1

    746e8f51637b5861858ef453de04964b4eb23246

  • SHA256

    5104e10875fb2a5e76fff9e552e9007d7be2049546dc8ce7443e2c62de4981ae

  • SHA512

    a0c8be17811298ddb333d4f030b8dc6a12de7f24893d94cacfaac68324baeb68a8e75874ead938ff4dedb6b2ff9b01b85168b005475c5bc87bb4ec4bdb630b28

  • SSDEEP

    98304:nQAcZjsI/pfneEb+NJ5xiMAe74hCXjIXNwpjL2qTFZHc/G3KeM/jl7EuCh8fJAHD:QXZYunlbw5jqByN6k/kVmkA/r

Score
10/10
privateloaderriseprostealctofseevidarbootkitcollectiondiscoveryevasionexecutionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://t.me/ta904ek

https://steamcommunity.com/profiles/76561199695752269
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Extracted

Family

risepro

C2

147.45.47.126:58709

Targets

    • Target

      ver3_appfile.rar

    • Size

      6.9MB

    • MD5

      70a4b0088163ebb0805eeff9bc766658

    • SHA1

      746e8f51637b5861858ef453de04964b4eb23246

    • SHA256

      5104e10875fb2a5e76fff9e552e9007d7be2049546dc8ce7443e2c62de4981ae

    • SHA512

      a0c8be17811298ddb333d4f030b8dc6a12de7f24893d94cacfaac68324baeb68a8e75874ead938ff4dedb6b2ff9b01b85168b005475c5bc87bb4ec4bdb630b28

    • SSDEEP

      98304:nQAcZjsI/pfneEb+NJ5xiMAe74hCXjIXNwpjL2qTFZHc/G3KeM/jl7EuCh8fJAHD:QXZYunlbw5jqByN6k/kVmkA/r

    Score
    10/10
    privateloaderriseprostealctofseevidarbootkitcollectiondiscoveryevasionexecutionloaderpersistencespywarestealertrojan

    • Detect Vidar Stealer

      stealer

    • Modifies firewall policy service

      evasion

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

2
T1569

Service Execution

2
T1569.002

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

4
T1112

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks