General

  • Target

    #!~#0Pen_4422_P@$SW0rd~!!$.zip

  • Size

    8.9MB

  • Sample

    240614-rdm4zsxejj

  • MD5

    56bcf8e0f9a1e7ee2e1954329366b4b4

  • SHA1

    24ce667a4a7ad4694230ef4efb004c7f5d9fa57c

  • SHA256

    04e78ecfe607fbbea63c548deac4a45403a4ce44ffa35a6e858bcbf4b09e7bdf

  • SHA512

    7560ec07ef74855dd5a73be4ff1293f879875af3662ff81c13eaf3d9ed1bf97fe77fe6ea5f94ac23a5a7b732397ab4a3d6a8baf198f872fe509f58f2d245a761

  • SSDEEP

    196608:5Z8I222mtGZPRZxMc4dtIFc87F79UrvBB1mKXU//b:5ZT2LmtGZPRZmcQtf8upBvk7

Malware Config

Extracted

Family

stealc

rc4.plain

Targets

    • Target

      #!~#0Pen_4422_P@$SW0rd~!!$/Setup.exe

    • Size

      94KB

    • MD5

      9a4cc0d8e7007f7ef20ca585324e0739

    • SHA1

      f3e5a2e477cac4bab85940a2158eed78f2d74441

    • SHA256

      040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

    • SHA512

      54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

    • SSDEEP

      1536:9M/AhIxHHWMpdPa5wiE21M8kJIGFvb1Cwn/ZDs5yf:9M4SwMpdCq/IM8uIGfV/ZDso

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks