General

  • Target

    6c04b7572d6d4a88438ce7ed6d125617d4806df08ad0eebc209ff66f6eb246a7

  • Size

    3.6MB

  • Sample

    240607-ae1ysseb3w

  • MD5

    f0539dbfa8b31d98080839edb97581d2

  • SHA1

    a129d7abe1622f76999a97b3ba33696d9806b36c

  • SHA256

    6c04b7572d6d4a88438ce7ed6d125617d4806df08ad0eebc209ff66f6eb246a7

  • SHA512

    14c58f822db562adebbf7fa6b24584aab7088d5e9ab7fc108fd27478844133c3fda7a5e254a0dc815a6533a1f754760384d38f86623a0dee60f16d6c70bf1b1e

  • SSDEEP

    49152:Nmrx7qpujWKPt9m7B4Feydua3ljovhWKCGjYRiainBn8gK7oY:Nmrx7qpuXPtnjEhWR4hB3

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://88.99.127.107

https://t.me/r8z0l

https://steamcommunity.com/profiles/76561199698764354

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Targets

    • Target

      6c04b7572d6d4a88438ce7ed6d125617d4806df08ad0eebc209ff66f6eb246a7

    • Size

      3.6MB

    • MD5

      f0539dbfa8b31d98080839edb97581d2

    • SHA1

      a129d7abe1622f76999a97b3ba33696d9806b36c

    • SHA256

      6c04b7572d6d4a88438ce7ed6d125617d4806df08ad0eebc209ff66f6eb246a7

    • SHA512

      14c58f822db562adebbf7fa6b24584aab7088d5e9ab7fc108fd27478844133c3fda7a5e254a0dc815a6533a1f754760384d38f86623a0dee60f16d6c70bf1b1e

    • SSDEEP

      49152:Nmrx7qpujWKPt9m7B4Feydua3ljovhWKCGjYRiainBn8gK7oY:Nmrx7qpuXPtnjEhWR4hB3

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks