Malware Analysis Report

2024-09-11 16:52

Sample ID 240614-ywqfdstfqb
Target Set-up_v25.6.exe
SHA256 48530f667563a595c24f245c994484ca43c991cce4b77fd1dca8f7d486cbc389
Tags
stealc vidar discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48530f667563a595c24f245c994484ca43c991cce4b77fd1dca8f7d486cbc389

Threat Level: Known bad

The file Set-up_v25.6.exe was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery spyware stealer

Stealc

Detect Vidar Stealer

Vidar

Downloads MZ/PE file

Reads user/profile data of local email clients

Loads dropped DLL

Deletes itself

Checks computer location settings

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Delays execution with timeout.exe

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 20:10

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 20:08

Reported

2024-06-14 20:13

Platform

win10v2004-20240611-en

Max time kernel

90s

Max time network

189s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3896 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3896 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe

"C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CBKJEGCBKKJE" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.121.18.2.in-addr.arpa udp
RU 77.221.158.54:80 77.221.158.54 tcp
US 8.8.8.8:53 54.158.221.77.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1844-2-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/1844-0-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/1844-8-0x0000000000CE2000-0x00000000011A2000-memory.dmp

memory/1844-1-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/1844-5-0x0000000003F90000-0x0000000003F91000-memory.dmp

memory/1844-4-0x0000000003F80000-0x0000000003F81000-memory.dmp

memory/1844-3-0x0000000003E60000-0x0000000003E61000-memory.dmp

memory/1844-7-0x0000000000AA0000-0x000000000194A000-memory.dmp

memory/1844-11-0x000000001ECC0000-0x000000001EF1F000-memory.dmp

C:\ProgramData\CBKJEGCBKKJE\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\CBKJEGCBKKJE\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1844-82-0x0000000000CE2000-0x00000000011A2000-memory.dmp

memory/1844-83-0x0000000000AA0000-0x000000000194A000-memory.dmp

C:\ProgramData\CBKJEGCBKKJE\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\CBKJEGCBKKJE\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\CBKJEGCBKKJE\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 20:08

Reported

2024-06-14 20:13

Platform

win7-20240508-en

Max time kernel

109s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 1300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 608 wrote to memory of 1300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 608 wrote to memory of 1300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 608 wrote to memory of 1300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe

"C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Set-up_v25.6.exe" & rd /s /q "C:\ProgramData\KKECBFCGIEGC" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
RU 77.221.158.54:80 tcp
RU 77.221.158.54:80 tcp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 t.me udp

Files

memory/1624-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1624-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1624-4-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1624-31-0x00000000012C0000-0x000000000216A000-memory.dmp

memory/1624-34-0x00000000012C0000-0x000000000216A000-memory.dmp

memory/1624-33-0x0000000001502000-0x00000000019C2000-memory.dmp

memory/1624-29-0x0000000000630000-0x0000000000631000-memory.dmp

memory/1624-27-0x0000000000630000-0x0000000000631000-memory.dmp

memory/1624-24-0x0000000000620000-0x0000000000621000-memory.dmp

memory/1624-22-0x0000000000620000-0x0000000000621000-memory.dmp

memory/1624-19-0x0000000000610000-0x0000000000611000-memory.dmp

memory/1624-17-0x0000000000610000-0x0000000000611000-memory.dmp

memory/1624-14-0x0000000000600000-0x0000000000601000-memory.dmp

memory/1624-12-0x0000000000600000-0x0000000000601000-memory.dmp

memory/1624-9-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1624-7-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1624-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1624-35-0x00000000012C0000-0x000000000216A000-memory.dmp

memory/1624-36-0x0000000001502000-0x00000000019C2000-memory.dmp

memory/1624-37-0x00000000012C0000-0x000000000216A000-memory.dmp