Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-06-2024 00:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7219c5b418d16878855ed871c4367a909f9c5837d4e19e3397e4961a0abea3b1.exe

  • Size

    1.6MB

  • MD5

    242cf4251e0dec3a13473c30f1ab9051

  • SHA1

    175966b4d5c3b63130ef87e1b9b3071e70a4d4c9

  • SHA256

    7219c5b418d16878855ed871c4367a909f9c5837d4e19e3397e4961a0abea3b1

  • SHA512

    e55c624c348cbea3e45c3ba3ed8644988e8a5c6c13cf5d96f71e087342823e36d5adca10f871b43267fa242e768e3bf43e8e019441eae32baefb87610e5a98e0

  • SSDEEP

    24576:spM5863IGfTAVpalBYUfMxVVtes12FxwojKr98YGeGG9i:spQLYkTYp6BYUkxVVChjHZQs

Score
10/10
stealcvidardiscoveryspywarestealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://t.me/r8z0l

https://steamcommunity.com/profiles/76561199698764354
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

  • Detect Vidar Stealer 8 IoCs
    stealer
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7219c5b418d16878855ed871c4367a909f9c5837d4e19e3397e4961a0abea3b1.exe
    "C:\Users\Admin\AppData\Local\Temp\7219c5b418d16878855ed871c4367a909f9c5837d4e19e3397e4961a0abea3b1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Users\Admin\AppData\Local\Temp\kat499C.tmp
      C:\Users\Admin\AppData\Local\Temp\kat499C.tmp
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\kat499C.tmp" & rd /s /q "C:\ProgramData\DAAFBAKECAEG" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 10
          4⤵
          • Delays execution with timeout.exe
          PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kat499C.tmp
    Filesize

    448KB

    MD5

    d7d3e9e68f500a5362ef855382d5934b

    SHA1

    740495877cbcda9c61c8eb1ce3cb0c0f20738a81

    SHA256

    8cdc50bc308edd6d0f70d7c8203f0ef469daaa62ae801a00c93e6b9160fef772

    SHA512

    512f5d5764050274d5beb6c966c787eb50a9850ec4c4886cda14f3a912dc627d29d2cac5db7f825500041a47ce65ecc4e8f728dc934c748f6575ae17d4c2cf89

    Download Submit
  • memory/1620-0-0x00000000022F0000-0x00000000022F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1620-9-0x0000000000400000-0x0000000000594000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1620-2-0x0000000004020000-0x0000000004130000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2240-10-0x0000000000400000-0x0000000000648000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/2240-8-0x0000000000400000-0x0000000000648000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/2240-4-0x0000000000400000-0x0000000000648000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/2240-11-0x0000000000400000-0x0000000000648000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/2240-12-0x0000000000400000-0x0000000000648000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/2240-14-0x0000000000400000-0x0000000000648000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/2240-13-0x0000000000400000-0x0000000000648000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/2240-15-0x0000000000400000-0x0000000000648000-memory.dmp
    Filesize

    2.3MB

    Download