General

  • Target

    73e3e8ed3f6cdea0e2f492492cf1cc682d960300ac639f6d2250f7e2fb12ff4c

  • Size

    1.8MB

  • Sample

    240604-avafsaeg7y

  • MD5

    e6c68f9d527554cebbfd4b525b93c074

  • SHA1

    b089243ad3e3dea90ccfb1f27dffca8a8a5478c3

  • SHA256

    73e3e8ed3f6cdea0e2f492492cf1cc682d960300ac639f6d2250f7e2fb12ff4c

  • SHA512

    58fee7ba40490e16256c29a86162cb931c1740708415d5f1fb641627a6cfdcfad16de258fbef6f5a9f3d3c48d40079cdbc9cf1d0d66642f1863f7dc2e25d2c2f

  • SSDEEP

    24576:W7YfUB7F1931tbSYaOV+rEfv0xwT3zxNOt4XigDSCuptNEynEsqqfD:W75B7FDFtbSYa8aesY3Ot4N7G/

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://t.me/ta904ek

https://steamcommunity.com/profiles/76561199695752269

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Targets

    • Target

      73e3e8ed3f6cdea0e2f492492cf1cc682d960300ac639f6d2250f7e2fb12ff4c

    • Size

      1.8MB

    • MD5

      e6c68f9d527554cebbfd4b525b93c074

    • SHA1

      b089243ad3e3dea90ccfb1f27dffca8a8a5478c3

    • SHA256

      73e3e8ed3f6cdea0e2f492492cf1cc682d960300ac639f6d2250f7e2fb12ff4c

    • SHA512

      58fee7ba40490e16256c29a86162cb931c1740708415d5f1fb641627a6cfdcfad16de258fbef6f5a9f3d3c48d40079cdbc9cf1d0d66642f1863f7dc2e25d2c2f

    • SSDEEP

      24576:W7YfUB7F1931tbSYaOV+rEfv0xwT3zxNOt4XigDSCuptNEynEsqqfD:W75B7FDFtbSYa8aesY3Ot4N7G/

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks