Malware Analysis Report

2024-09-11 16:39

Sample ID 240614-qbffpa1hrg
Target e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5
SHA256 e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5
Tags
stealc vidar stealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5

Threat Level: Known bad

The file e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5 was found to be: Known bad.

Malicious Activity Summary

stealc vidar stealer spyware

Stealc

Vidar

Detect Vidar Stealer

Downloads MZ/PE file

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 13:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 13:04

Reported

2024-06-14 13:07

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 560 set thread context of 1836 N/A C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 560 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 560 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 560 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 560 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1836 wrote to memory of 2532 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2532 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2532 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 4256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2532 wrote to memory of 4256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2532 wrote to memory of 4256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe

"C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\HCFBKKEBKEBG" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 steamcommunity.com udp

Files

memory/560-4-0x00007FF748130000-0x00007FF748FBC000-memory.dmp

memory/1836-5-0x00000000004A0000-0x00000000006E8000-memory.dmp

memory/1836-7-0x00000000004A0000-0x00000000006E8000-memory.dmp

memory/560-8-0x00007FF748130000-0x00007FF748FBC000-memory.dmp

memory/1836-9-0x00000000004A0000-0x00000000006E8000-memory.dmp

memory/1836-10-0x00000000004A0000-0x00000000006E8000-memory.dmp

memory/1836-11-0x00000000004A0000-0x00000000006E8000-memory.dmp

memory/1836-12-0x00000000004A0000-0x00000000006E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 13:04

Reported

2024-06-14 13:07

Platform

win11-20240611-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Downloads MZ/PE file

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4932 set thread context of 3984 N/A C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4932 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4932 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4932 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4932 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3984 wrote to memory of 2540 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 2540 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 2540 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2540 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2540 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe

"C:\Users\Admin\AppData\Local\Temp\e9edfb560307e1bd40f575a8dc1d9835e13059388cfb72ffbbe8aefc99d7fbf5.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJEGIJEGDBFH" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 tcp
DE 195.201.251.58:9000 tcp
DE 195.201.251.58:9000 tcp
DE 195.201.251.58:9000 tcp
DE 195.201.251.58:9000 tcp
DE 195.201.251.58:9000 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp

Files

memory/4932-2-0x00007FF7AE5D0000-0x00007FF7AF45C000-memory.dmp

memory/3984-5-0x00000000006E0000-0x0000000000928000-memory.dmp

memory/3984-7-0x00000000006E0000-0x0000000000928000-memory.dmp

memory/3984-10-0x00000000006E0000-0x0000000000928000-memory.dmp

memory/4932-9-0x00007FF7AE5D0000-0x00007FF7AF45C000-memory.dmp

memory/3984-13-0x00000000006E0000-0x0000000000928000-memory.dmp

memory/3984-14-0x00000000006E0000-0x0000000000928000-memory.dmp

memory/3984-17-0x000000001AE90000-0x000000001B0EF000-memory.dmp

memory/3984-24-0x00000000006E0000-0x0000000000928000-memory.dmp

memory/3984-25-0x00000000006E0000-0x0000000000928000-memory.dmp

memory/3984-33-0x00000000006E0000-0x0000000000928000-memory.dmp

memory/3984-34-0x00000000006E0000-0x0000000000928000-memory.dmp

memory/3984-50-0x00000000006E0000-0x0000000000928000-memory.dmp

memory/3984-51-0x00000000006E0000-0x0000000000928000-memory.dmp

memory/3984-62-0x00000000006E0000-0x0000000000928000-memory.dmp

memory/3984-63-0x00000000006E0000-0x0000000000928000-memory.dmp

memory/3984-64-0x00000000006E0000-0x0000000000928000-memory.dmp