Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13-06-2024 11:55

General

  • Target

    38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe

  • Size

    2.1MB

  • MD5

    c49af08976d8324f556866373969b576

  • SHA1

    c4334b02493de064d9d26f5f482d24670bf7c343

  • SHA256

    38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8

  • SHA512

    3d85e000b517e935023dbadb7e86f027e3e280c3b090eab9dea3159e0b38398f32a7bfb0e8a3a7329703b2adaf59b072920cced88a4262338a35473119cf86c2

  • SSDEEP

    24576:Ub4m+sws1qLVNMIlJl6DRKbAlcNRfCKFUfMxVVtes12FxwojKr98YGeGG9iO:UZXOjt6DuAwCKFUkxVVChjHZQs

Malware Config

Extracted

Family

stealc

rc4.plain
1
2910114286690104117195131148

Extracted

Family

vidar

C2

https://t.me/r8z0l

https://steamcommunity.com/profiles/76561199698764354

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

  • Detect Vidar Stealer 8 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe
    "C:\Users\Admin\AppData\Local\Temp\38d16dccfd335cf95f05ab43376b79a0f6f622a8252cc96b33c68fc5a263f8b8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Users\Admin\AppData\Local\Temp\kat3B82.tmp
      C:\Users\Admin\AppData\Local\Temp\kat3B82.tmp
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:4780

Network

  • flag-us
    DNS
    t.me
    kat3B82.tmp
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-us
    DNS
    ctldl.windowsupdate.com
    kat3B82.tmp
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    download.windowsupdate.com.edgesuite.net
    download.windowsupdate.com.edgesuite.net
    IN CNAME
    a767.dspw65.akamai.net
    a767.dspw65.akamai.net
    IN A
    2.17.107.203
    a767.dspw65.akamai.net
    IN A
    2.17.107.138
  • flag-us
    DNS
    203.107.17.2.in-addr.arpa
    kat3B82.tmp
    Remote address:
    8.8.8.8:53
    Request
    203.107.17.2.in-addr.arpa
    IN PTR
    Response
    203.107.17.2.in-addr.arpa
    IN PTR
    a2-17-107-203deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    kat3B82.tmp
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.73.50.20.in-addr.arpa
    kat3B82.tmp
    Remote address:
    8.8.8.8:53
    Request
    13.73.50.20.in-addr.arpa
    IN PTR
    Response
  • flag-de
    GET
    https://49.13.235.244:5432/
    kat3B82.tmp
    Remote address:
    49.13.235.244:5432
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 49.13.235.244:5432
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 13 Jun 2024 11:55:39 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    99.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    244.235.13.49.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    244.235.13.49.in-addr.arpa
    IN PTR
    Response
    244.235.13.49.in-addr.arpa
    IN PTR
    static2442351349clients your-serverde
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.227.14
  • flag-us
    DNS
    self.events.data.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    self.events.data.microsoft.com
    IN A
    Response
    self.events.data.microsoft.com
    IN CNAME
    self-events-data.trafficmanager.net
    self-events-data.trafficmanager.net
    IN CNAME
    onedscolprdneu10.northeurope.cloudapp.azure.com
    onedscolprdneu10.northeurope.cloudapp.azure.com
    IN A
    20.50.73.13
  • flag-de
    POST
    https://49.13.235.244:5432/
    kat3B82.tmp
    Remote address:
    49.13.235.244:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----CFHCBKKFIJJJECAAFCGI
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 49.13.235.244:5432
    Content-Length: 279
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 13 Jun 2024 11:55:40 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://49.13.235.244:5432/
    kat3B82.tmp
    Remote address:
    49.13.235.244:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----FCAKFCGCGIEGDGCAAKKJ
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 49.13.235.244:5432
    Content-Length: 331
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 13 Jun 2024 11:55:40 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://49.13.235.244:5432/
    kat3B82.tmp
    Remote address:
    49.13.235.244:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----CAFHDBGHJKFIDHJJJEBK
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 49.13.235.244:5432
    Content-Length: 331
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 13 Jun 2024 11:55:41 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://49.13.235.244:5432/
    kat3B82.tmp
    Remote address:
    49.13.235.244:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----EHJJECBKKECFIEBGCAKJ
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 49.13.235.244:5432
    Content-Length: 332
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 13 Jun 2024 11:55:41 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://49.13.235.244:5432/
    kat3B82.tmp
    Remote address:
    49.13.235.244:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----FCAECAKKFBGCBGDGIEHC
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 49.13.235.244:5432
    Content-Length: 4649
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 13 Jun 2024 11:55:42 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    GET
    https://49.13.235.244:5432/sqls.dll
    kat3B82.tmp
    Remote address:
    49.13.235.244:5432
    Request
    GET /sqls.dll HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 49.13.235.244:5432
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 13 Jun 2024 11:55:42 GMT
    Content-Type: application/octet-stream
    Content-Length: 2459136
    Last-Modified: Sun, 02 Jun 2024 19:44:54 GMT
    Connection: keep-alive
    ETag: "665ccbb6-258600"
    Accept-Ranges: bytes
  • flag-de
    POST
    https://49.13.235.244:5432/
    kat3B82.tmp
    Remote address:
    49.13.235.244:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----IJKFHIIEHIEGDHJJJKFI
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 49.13.235.244:5432
    Content-Length: 753
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 13 Jun 2024 11:55:43 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • 149.154.167.99:443
    t.me
    tls
    kat3B82.tmp
    1.6kB
    19.9kB
    25
    21
  • 49.13.235.244:5432
    https://49.13.235.244:5432/
    tls, http
    kat3B82.tmp
    1.1kB
    2.7kB
    11
    8

    HTTP Request

    GET https://49.13.235.244:5432/

    HTTP Response

    200
  • 49.13.235.244:5432
    https://49.13.235.244:5432/
    tls, http
    kat3B82.tmp
    1.4kB
    662 B
    9
    7

    HTTP Request

    POST https://49.13.235.244:5432/

    HTTP Response

    200
  • 49.13.235.244:5432
    https://49.13.235.244:5432/
    tls, http
    kat3B82.tmp
    1.5kB
    2.2kB
    10
    7

    HTTP Request

    POST https://49.13.235.244:5432/

    HTTP Response

    200
  • 49.13.235.244:5432
    https://49.13.235.244:5432/
    tls, http
    kat3B82.tmp
    1.6kB
    6.3kB
    13
    10

    HTTP Request

    POST https://49.13.235.244:5432/

    HTTP Response

    200
  • 49.13.235.244:5432
    https://49.13.235.244:5432/
    tls, http
    kat3B82.tmp
    1.4kB
    672 B
    9
    6

    HTTP Request

    POST https://49.13.235.244:5432/

    HTTP Response

    200
  • 49.13.235.244:5432
    https://49.13.235.244:5432/
    tls, http
    kat3B82.tmp
    6.0kB
    605 B
    13
    7

    HTTP Request

    POST https://49.13.235.244:5432/

    HTTP Response

    200
  • 49.13.235.244:5432
    https://49.13.235.244:5432/sqls.dll
    tls, http
    kat3B82.tmp
    91.9kB
    2.5MB
    1828
    1825

    HTTP Request

    GET https://49.13.235.244:5432/sqls.dll

    HTTP Response

    200
  • 49.13.235.244:5432
    https://49.13.235.244:5432/
    tls, http
    kat3B82.tmp
    1.9kB
    528 B
    9
    5

    HTTP Request

    POST https://49.13.235.244:5432/

    HTTP Response

    200
  • 52.111.227.11:443
    322 B
    7
  • 8.8.8.8:53
    t.me
    dns
    kat3B82.tmp
    332 B
    798 B
    5
    5

    DNS Request

    t.me

    DNS Response

    149.154.167.99

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    2.17.107.203
    2.17.107.138

    DNS Request

    203.107.17.2.in-addr.arpa

    DNS Request

    14.227.111.52.in-addr.arpa

    DNS Request

    13.73.50.20.in-addr.arpa

  • 8.8.8.8:53
    99.167.154.149.in-addr.arpa
    dns
    297 B
    635 B
    4
    4

    DNS Request

    99.167.154.149.in-addr.arpa

    DNS Request

    244.235.13.49.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.227.14

    DNS Request

    self.events.data.microsoft.com

    DNS Response

    20.50.73.13

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kat3B82.tmp

    Filesize

    861KB

    MD5

    66064dbdb70a5eb15ebf3bf65aba254b

    SHA1

    0284fd320f99f62aca800fb1251eff4c31ec4ed7

    SHA256

    6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

    SHA512

    b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

  • memory/4780-4-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

  • memory/4780-8-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

  • memory/4780-10-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

  • memory/4780-13-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

  • memory/4780-14-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

  • memory/4780-16-0x0000000019400000-0x000000001965F000-memory.dmp

    Filesize

    2.4MB

  • memory/4780-24-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

  • memory/4780-25-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

  • memory/4916-0-0x00000000025D0000-0x00000000025D1000-memory.dmp

    Filesize

    4KB

  • memory/4916-1-0x0000000002BB0000-0x0000000002CC0000-memory.dmp

    Filesize

    1.1MB

  • memory/4916-9-0x0000000000400000-0x0000000000629000-memory.dmp

    Filesize

    2.2MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.