General

  • Target

    Setup (6).zip

  • Size

    7.0MB

  • Sample

    240614-p42c7a1fng

  • MD5

    6e621a2773322cd17fe32c181d062d49

  • SHA1

    a238afd8addc7751d0bd47412b2827f9ae6a01cc

  • SHA256

    03a0f1b34e5688e65e394ac4e242b5e287817afd351d973bcb495d533166568e

  • SHA512

    69d76848c7d3dd591009cdbd625da606eab50eeddbd3ebe3a3d5d9d2427f25b177c07a763e22c1870800fb7a841a4abe844a2bdf7b37efdcbf42fe5ba7b9bd23

  • SSDEEP

    196608:yvgKLAm5iWdSbkWNjpB0Z+hKjNRD/0RGzrsZCP9F4WgqvC2q:y7CIqjpBS+hKRuZCPL4rqvC2q

Malware Config

Extracted

Family

stealc

rc4.plain

Targets

    • Target

      Setup (6).exe

    • Size

      689.0MB

    • MD5

      ff67f19d6adda7d98103d92e733bc89e

    • SHA1

      a0bbc5d62f72ed69ca3ee5ca20497714f369f435

    • SHA256

      2ccd9c21535699c0bfe986739ad48e88b2c4b51b9f571dcad6214742adf48d23

    • SHA512

      d69371bcc0a9bd65425826ddd9b5c509ec3f2b5493174316e4780b1e58a2366257b92d185b26a527d5b8f10ea2c49c1d95c835486cc6f9aeeab8258cae234523

    • SSDEEP

      196608:9gViopMudQjEGr5TlS7ybinhHzbWF6zr4ZKPLLUGgGn4:SKAg5TlkybihGZKPfU7Gn

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Process Discovery

1
T1057

Collection

Data from Local System

4
T1005

Tasks