Overview

overview

10

Static

static

3

9fd04eb725...85.exe

windows7-x64

10

9fd04eb725...85.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bf808afcc221165140ff57a5e31bdef2.bin

  • Size

    203KB

  • Sample

    240615-c8vd8awhpc

  • MD5

    4684e83d2fa7018641badd8e3849bf25

  • SHA1

    cb19654d432b79b3cf46000ec0b3025281e8f1dc

  • SHA256

    5badf3415fece2cb84e3d1593877f45e930069650cce31d69b00177c7f8cf77f

  • SHA512

    7041b36599290878b8b7b07fd1a4345ce667d5093abb7a3b2814c5015c052eaa78e5bc7566cdf4bb35c2226ca11211be8a759ba473372b94064c1736290caae1

  • SSDEEP

    3072:Rlw8aFtgyKR4SpJVjspa319WJ719ruZHz4yBOxnZnBPLJAhyXm1En8gXciAB5r:RX+uyDWyarmh2zRAVLJAhom0dMRb

Score
10/10
stealcsystembcvidardiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

C2

https://t.me/memve4erin

https://steamcommunity.com/profiles/76561199699680841
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0

Extracted

Family

systembc

C2

173.211.46.4:4299

127.0.0.1:4299

Targets

    • Target

      9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe

    • Size

      368KB

    • MD5

      bf808afcc221165140ff57a5e31bdef2

    • SHA1

      64f4ddd4a0f8cde10c990e6167fefb95a311ccec

    • SHA256

      9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885

    • SHA512

      d1521cd2ca9e064a08f4252bd82c0b6c97c464c49cd327a201d085107201e9cac02a9b311e042e79ee1eddee482975afea1ef0682e2c8bbd74e1415f23cbe1cf

    • SSDEEP

      3072:VUrql9LC/xRNNWY+/BFsiLMcOQlBDQiOKehsPsPn0ScNMvlL+l0A+5NnpINCfh1:VUraLC/xRPO/BmjJQlNKhskHcwL+W/b

    Score
    10/10
    stealcsystembcvidardiscoverypersistencespywarestealertrojan

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks