stealc | cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e

Analysis

max time kernel
124s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe
Size

8.2MB
MD5

5d297e4bcb36a4a1481c32fa7c0088a6
SHA1

bf0947415396624d6dbd08469c490b30637ab7d7
SHA256

cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e
SHA512

2e124967d0833ac856758417ba61d2b316b6021fc50b36ad9cb5e7b9d33812bfcd9bb654ce2933132d691ca57fa276ea5556a7826317b2d3168372c401da3ca4
SSDEEP

196608:kB+S/N8G+oHIpNKvhLozkAx6Dh1GxzCnCj8X9ehQTLrOfweA:kcgxDHIp8ozkAxzzIC7WTO6

Score

10^/10

stealc vidar stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Signatures

Detect Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/760-0-0x0000000000400000-0x0000000000B4A000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/760-0-0x0000000000400000-0x0000000000B4A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/760-0-0x0000000000400000-0x0000000000B4A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Detects executables containing potential Windows Defender anti-emulation checks 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/760-0-0x0000000000400000-0x0000000000B4A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation

Suspicious use of SetThreadContext 1 IoCs

Processes:

cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe

description pid process target process

PID 1936 set thread context of 760 1936 cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe wab.exe

description	pid	process	target process
PID 1936 set thread context of 760	1936	cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe	wab.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe

description	pid	process	target process
PID 1936 wrote to memory of 760	1936	cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe	wab.exe
PID 1936 wrote to memory of 760	1936	cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe	wab.exe
PID 1936 wrote to memory of 760	1936	cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe	wab.exe
PID 1936 wrote to memory of 760	1936	cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe	wab.exe
PID 1936 wrote to memory of 760	1936	cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe	wab.exe
PID 1936 wrote to memory of 760	1936	cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe	wab.exe
PID 1936 wrote to memory of 760	1936	cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe	wab.exe
PID 1936 wrote to memory of 760	1936	cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe	wab.exe
PID 1936 wrote to memory of 760	1936	cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe	wab.exe
PID 1936 wrote to memory of 760	1936	cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe	wab.exe

C:\Users\Admin\AppData\Local\Temp\cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe
"C:\Users\Admin\AppData\Local\Temp\cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1936

C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe"
2⤵
PID:760

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-0-0x0000000000400000-0x0000000000B4A000-memory.dmp

Filesize
7.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads