General

  • Target

    0594d4ba4bfaef1ef5f5322dcb51ac0b4de3bb1798d821a1b49ce3e4937c68e6

  • Size

    2.5MB

  • Sample

    240607-1rejfaec32

  • MD5

    efc90568e14f0429d78743440d7d8bb1

  • SHA1

    c33788c0406ad85c28c940be3a30543fe30af48b

  • SHA256

    0594d4ba4bfaef1ef5f5322dcb51ac0b4de3bb1798d821a1b49ce3e4937c68e6

  • SHA512

    343cb0f3c487d35cdd34a0a441de2a263a3a9c50ce80d97df5c3bcb9b77a08b766c880f0641d71b432272f296744228608846e6494c657e42d715e2da28fd0bd

  • SSDEEP

    49152:Zcm4081qpZBUbHEmJmsEAQACR07Q3byRD8aXY658:ZcmmqvBUbHtwfAw07QLyLn

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://t.me/r8z0l

https://steamcommunity.com/profiles/76561199698764354

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Targets

    • Target

      0594d4ba4bfaef1ef5f5322dcb51ac0b4de3bb1798d821a1b49ce3e4937c68e6

    • Size

      2.5MB

    • MD5

      efc90568e14f0429d78743440d7d8bb1

    • SHA1

      c33788c0406ad85c28c940be3a30543fe30af48b

    • SHA256

      0594d4ba4bfaef1ef5f5322dcb51ac0b4de3bb1798d821a1b49ce3e4937c68e6

    • SHA512

      343cb0f3c487d35cdd34a0a441de2a263a3a9c50ce80d97df5c3bcb9b77a08b766c880f0641d71b432272f296744228608846e6494c657e42d715e2da28fd0bd

    • SSDEEP

      49152:Zcm4081qpZBUbHEmJmsEAQACR07Q3byRD8aXY658:ZcmmqvBUbHtwfAw07QLyLn

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks