General

  • Target

    14ac2261851778d8dbba62e6b074aacc.bin

  • Size

    324KB

  • Sample

    240607-bds28sfh43

  • MD5

    5e1f74ce8e3b2ed85a17b0eb94ca6544

  • SHA1

    fef66787a2922fbec6aaf2d78a23d8b6257ebb2e

  • SHA256

    6411797d3753ab959e71005551ae2db76236a3d8f4b5d3c0418da5d12e47db64

  • SHA512

    4d5cc578d17a2c69f77626a08bb4afe47ac757e4d2623826de84d44055e0995cb0480082da517f7b686868440da5bd6696ed6cebca201caf521dd3ec8b53f62c

  • SSDEEP

    6144:cv5qx7BdeinOlxU+NJxSQAY5nbP7hs56vWz/xkDVAwxpF7nfUKO6wN:lFQi2G+NJxAWb1s5xSpDzNM

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://t.me/r8z0l

https://steamcommunity.com/profiles/76561199698764354

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Targets

    • Target

      410845b99861fdc39fbe003a3cd469fb4e4cec2f50b59c7697d4834b7fb9c4d8.exe

    • Size

      423KB

    • MD5

      14ac2261851778d8dbba62e6b074aacc

    • SHA1

      14b2d7a70f22eb1649266ec43ef510c0a02f3ca8

    • SHA256

      410845b99861fdc39fbe003a3cd469fb4e4cec2f50b59c7697d4834b7fb9c4d8

    • SHA512

      51f05ae50b54a3812989ce627189bc44f197ca5c772a1672c1b92be7837928d2783ea84a831712ee363951e87f40c46e9f322f42db3872acae6b47154b05663c

    • SSDEEP

      12288:HYJziNG63g3sp4vc/uxrHwXX/Gshi/+kcW8faRM:FNhg3o4vOuxaXOs0+kcW8x

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks