stealc | ebf0a2b48504013795a31526b914c09d1c84e5bbc9638c4a5e6f8cd1c02d18df

General

Target

ebf0a2b48504013795a31526b914c09d1c84e5bbc9638c4a5e6f8cd1c02d18df.exe
Size

2.0MB
MD5

94f7884d2a4d8fc6a186e41debc75e4c
SHA1

56f351ed1b5d39c4e78dd0062025bb3440ef5161
SHA256

ebf0a2b48504013795a31526b914c09d1c84e5bbc9638c4a5e6f8cd1c02d18df
SHA512

04775100a00314d0acffa74da756875992b24d9d3823bf1ccd1fe308567dbeab989752d739476b9b637df780abea25335d6e544c55eed7a1e5fdd6a601b8372e
SSDEEP

49152:IFno/jfIJtTF+TxMoxc1TU+j+dAzGkiT:IFno/jAtIuoITsdZT

Score

10^/10

stealc vidar stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199686524322

https://t.me/k0mono

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1

Signatures

Detect Vidar Stealer 8 IoCs

stealer

resource	yara_rule
behavioral2/memory/1664-10-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral2/memory/1664-8-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral2/memory/1664-4-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral2/memory/3868-2-0x0000000004030000-0x0000000004179000-memory.dmp	family_vidar_v7
behavioral2/memory/1664-12-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral2/memory/1664-15-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral2/memory/1664-14-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7
behavioral2/memory/1664-16-0x0000000000400000-0x0000000000646000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Executes dropped EXE 1 IoCs

pid	Process
1664	kat5081.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3868 set thread context of 1664	3868	ebf0a2b48504013795a31526b914c09d1c84e5bbc9638c4a5e6f8cd1c02d18df.exe	85

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kat5081.tmp

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4428	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1664	kat5081.tmp
1664	kat5081.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 1664	3868	ebf0a2b48504013795a31526b914c09d1c84e5bbc9638c4a5e6f8cd1c02d18df.exe	85
PID 3868 wrote to memory of 1664	3868	ebf0a2b48504013795a31526b914c09d1c84e5bbc9638c4a5e6f8cd1c02d18df.exe	85
PID 3868 wrote to memory of 1664	3868	ebf0a2b48504013795a31526b914c09d1c84e5bbc9638c4a5e6f8cd1c02d18df.exe	85
PID 3868 wrote to memory of 1664	3868	ebf0a2b48504013795a31526b914c09d1c84e5bbc9638c4a5e6f8cd1c02d18df.exe	85
PID 3868 wrote to memory of 1664	3868	ebf0a2b48504013795a31526b914c09d1c84e5bbc9638c4a5e6f8cd1c02d18df.exe	85
PID 3868 wrote to memory of 1664	3868	ebf0a2b48504013795a31526b914c09d1c84e5bbc9638c4a5e6f8cd1c02d18df.exe	85
PID 3868 wrote to memory of 1664	3868	ebf0a2b48504013795a31526b914c09d1c84e5bbc9638c4a5e6f8cd1c02d18df.exe	85
PID 3868 wrote to memory of 1664	3868	ebf0a2b48504013795a31526b914c09d1c84e5bbc9638c4a5e6f8cd1c02d18df.exe	85

C:\Users\Admin\AppData\Local\Temp\ebf0a2b48504013795a31526b914c09d1c84e5bbc9638c4a5e6f8cd1c02d18df.exe
"C:\Users\Admin\AppData\Local\Temp\ebf0a2b48504013795a31526b914c09d1c84e5bbc9638c4a5e6f8cd1c02d18df.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Users\Admin\AppData\Local\Temp\kat5081.tmp
  C:\Users\Admin\AppData\Local\Temp\kat5081.tmp
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\kat5081.tmp" & rd /s /q "C:\ProgramData\BGHJJDGHCBGD" & exit
    3⤵
    PID:4676
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kat5081.tmp

Filesize
861KB

MD5
66064dbdb70a5eb15ebf3bf65aba254b

SHA1
0284fd320f99f62aca800fb1251eff4c31ec4ed7

SHA256
6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

SHA512
b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

Download Submit
memory/1664-10-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1664-8-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1664-4-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1664-12-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1664-15-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1664-14-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1664-16-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/3868-0-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3868-9-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/3868-2-0x0000000004030000-0x0000000004179000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads