General

  • Target

    43ab8d538551ee2d920b1780bced4a7e97a3e9cf8d6f47b6634219120c1ca3de.exe

  • Size

    779KB

  • Sample

    240604-bp8l3agh95

  • MD5

    b8c16305e86cd0c9e66bf9a26bed97c7

  • SHA1

    451b83ee2758b91aabf7f0367241d636b6c1d6f5

  • SHA256

    43ab8d538551ee2d920b1780bced4a7e97a3e9cf8d6f47b6634219120c1ca3de

  • SHA512

    b1d9548fc78fb8626d7e081d2ded7d86743e4f9136b3314315a5afa096e33858d43d7b9d775a623f7733809b0f06b748033518e9c3ac14a190aff5e71ac6ae9b

  • SSDEEP

    24576:uky1kNvBHoB+vinRETPD1qL63JnPPX8YpYFLxwuXt:uV1klBHoEURETPD1qL63fYN

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199689717899

https://t.me/copterwin

Targets

    • Target

      43ab8d538551ee2d920b1780bced4a7e97a3e9cf8d6f47b6634219120c1ca3de.exe

    • Size

      779KB

    • MD5

      b8c16305e86cd0c9e66bf9a26bed97c7

    • SHA1

      451b83ee2758b91aabf7f0367241d636b6c1d6f5

    • SHA256

      43ab8d538551ee2d920b1780bced4a7e97a3e9cf8d6f47b6634219120c1ca3de

    • SHA512

      b1d9548fc78fb8626d7e081d2ded7d86743e4f9136b3314315a5afa096e33858d43d7b9d775a623f7733809b0f06b748033518e9c3ac14a190aff5e71ac6ae9b

    • SSDEEP

      24576:uky1kNvBHoB+vinRETPD1qL63JnPPX8YpYFLxwuXt:uV1klBHoEURETPD1qL63fYN

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables containing potential Windows Defender anti-emulation checks

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks