Malware Analysis Report

2024-09-11 16:54

Sample ID 240614-rdm4zsxejj
Target #!~#0Pen_4422_P@$SW0rd~!!$.zip
SHA256 04e78ecfe607fbbea63c548deac4a45403a4ce44ffa35a6e858bcbf4b09e7bdf
Tags
stealc vidar discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04e78ecfe607fbbea63c548deac4a45403a4ce44ffa35a6e858bcbf4b09e7bdf

Threat Level: Known bad

The file #!~#0Pen_4422_P@$SW0rd~!!$.zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery spyware stealer

Detect Vidar Stealer

Stealc

Vidar

Reads data files stored by FTP clients

Checks computer location settings

Suspicious use of SetThreadContext

Checks installed software on the system

Loads dropped DLL

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 14:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 14:04

Reported

2024-06-14 14:07

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 14:04

Reported

2024-06-14 14:07

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Reads data files stored by FTP clients

spyware stealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2336 set thread context of 924 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe

Checks installed software on the system

discovery

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2336 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2336 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2336 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 924 wrote to memory of 1316 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 924 wrote to memory of 1316 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 924 wrote to memory of 1316 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 924 wrote to memory of 1316 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 924 wrote to memory of 1316 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1316 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4896 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4896 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\coml.au3" & rd /s /q "C:\ProgramData\KKKJKEBKFCAA" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 feeldog.xyz udp

Files

memory/2336-0-0x00007FFE98090000-0x00007FFE98202000-memory.dmp

memory/2336-5-0x00007FFE980A8000-0x00007FFE980A9000-memory.dmp

memory/2336-6-0x00007FFE98090000-0x00007FFE98202000-memory.dmp

memory/2336-7-0x00007FFE98090000-0x00007FFE98202000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bb4f0185

MD5 3e8dfb4d574108cc48c11a58eeb881bb
SHA1 ed9bd062f70c02d479e6a1c5e110c47868a2e113
SHA256 daae1fcb3c2f0f01dbafd3870bd6a15e7866a247203529453df9798ed3656241
SHA512 afa0efa4aff37f038118980da179609719918d91eb1a1e785510bd773cb3617c83e7718830e6f896aa8653b3ff5b694e9b777e6ad0185ae52b79ca87c19e7dd3

memory/924-10-0x00007FFEB6290000-0x00007FFEB6485000-memory.dmp

memory/924-13-0x0000000073E7E000-0x0000000073E80000-memory.dmp

memory/924-14-0x0000000073E71000-0x0000000073E7F000-memory.dmp

memory/924-17-0x0000000073E71000-0x0000000073E7F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1316-19-0x0000000000BA0000-0x00000000012EC000-memory.dmp

memory/1316-21-0x00007FFEB6290000-0x00007FFEB6485000-memory.dmp

memory/1316-22-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1316-40-0x0000000000BA0000-0x00000000012EC000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 14:04

Reported

2024-06-14 14:07

Platform

win11-20240508-en

Max time kernel

70s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Reads data files stored by FTP clients

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3608 set thread context of 4524 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe

Checks installed software on the system

discovery

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3608 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 3608 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 3608 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 3608 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 4524 wrote to memory of 3032 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 4524 wrote to memory of 3032 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 4524 wrote to memory of 3032 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 4524 wrote to memory of 3032 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 4524 wrote to memory of 3032 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3032 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1652 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1652 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_4422_P@$SW0rd~!!$\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\coml.au3" & rd /s /q "C:\ProgramData\IECFIEGDBKJK" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 feeldog.xyz udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 steamcommunity.com udp

Files

memory/3608-0-0x00007FFD9E7A0000-0x00007FFD9E91A000-memory.dmp

memory/3608-5-0x00007FFD9E7B8000-0x00007FFD9E7B9000-memory.dmp

memory/3608-6-0x00007FFD9E7A0000-0x00007FFD9E91A000-memory.dmp

memory/3608-7-0x00007FFD9E7A0000-0x00007FFD9E91A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a7eb1961

MD5 1724c6dd09c85007151e90453e0efd44
SHA1 eb2eca8d7cd221b7567f64e8c6e6f40830bd097e
SHA256 59534bc85358b4b0e11fd06480b8c8e54f7456d15c35c3254a7aa94abd7d029c
SHA512 aa44f83abfd139a814eb4a71750d3b59a88fbec49cab5d6960dfdcc1b024f931c6d0b8acee1754a8a90522189344eb2f08ab0e16b3a8aa7c3275edd201792c32

memory/4524-10-0x00007FFDAE0A0000-0x00007FFDAE2A9000-memory.dmp

memory/4524-13-0x00000000743C1000-0x00000000743CF000-memory.dmp

memory/4524-12-0x00000000743CE000-0x00000000743D0000-memory.dmp

memory/4524-17-0x00000000743C1000-0x00000000743CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/3032-20-0x0000000001000000-0x000000000174C000-memory.dmp

memory/3032-21-0x00007FFDAE0A0000-0x00007FFDAE2A9000-memory.dmp

memory/3032-22-0x0000000001000000-0x000000000174C000-memory.dmp

memory/3032-23-0x0000000001000000-0x000000000174C000-memory.dmp

memory/3032-24-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3032-42-0x0000000001000000-0x000000000174C000-memory.dmp