stealc | 1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a

General

Target

1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe
Size

2.9MB
MD5

0106c47448dd2470e5d3d2550e94a560
SHA1

06e62d065bac64d68e44742adbdf45067b950648
SHA256

1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a
SHA512

75a342fa44fa3ccabe80c499f4357b82dec2b31a49fb7f6a982a0880ba6045237b0c7a0ab761478eaca2c26ec35d2d322139bc104e8c1ef3b89f7b37d54bed97
SSDEEP

49152:rtpSxptE1AKnCVMS4cdR/z4+UVi4e9Crn:r/4nE1dCqKxx4e9Cb

Score

10^/10

stealc vidar discovery spyware stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://t.me/r8z0l

https://steamcommunity.com/profiles/76561199698764354

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

Detect Vidar Stealer 8 IoCs

stealer

resource	yara_rule
behavioral1/memory/3996-1-0x0000000002AE0000-0x0000000002C46000-memory.dmp	family_vidar_v7
behavioral1/memory/1972-9-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/1972-10-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/1972-4-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/1972-13-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/1972-14-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/1972-31-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/1972-33-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1972	kat3F1C.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3996 set thread context of 1972	3996	1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe	83

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kat3F1C.tmp

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	kat3F1C.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	kat3F1C.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1972	kat3F1C.tmp
1972	kat3F1C.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 1972	3996	1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe	83
PID 3996 wrote to memory of 1972	3996	1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe	83
PID 3996 wrote to memory of 1972	3996	1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe	83
PID 3996 wrote to memory of 1972	3996	1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe	83
PID 3996 wrote to memory of 1972	3996	1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe	83
PID 3996 wrote to memory of 1972	3996	1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe	83
PID 3996 wrote to memory of 1972	3996	1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe	83
PID 3996 wrote to memory of 1972	3996	1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe	83

C:\Users\Admin\AppData\Local\Temp\1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe
"C:\Users\Admin\AppData\Local\Temp\1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\kat3F1C.tmp
  C:\Users\Admin\AppData\Local\Temp\kat3F1C.tmp
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kat3F1C.tmp

Filesize
861KB

MD5
66064dbdb70a5eb15ebf3bf65aba254b

SHA1
0284fd320f99f62aca800fb1251eff4c31ec4ed7

SHA256
6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

SHA512
b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

Download Submit
memory/1972-9-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1972-10-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1972-4-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1972-13-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1972-14-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1972-16-0x000000001B820000-0x000000001BA7F000-memory.dmp

Filesize
2.4MB

Download
memory/1972-31-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1972-33-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/3996-0-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/3996-1-0x0000000002AE0000-0x0000000002C46000-memory.dmp

Filesize
1.4MB

Download
memory/3996-6-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads