stealc | 5badf3415fece2cb84e3d1593877f45e930069650cce31d69b00177c7f8cf77f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe
Size

368KB
MD5

bf808afcc221165140ff57a5e31bdef2
SHA1

64f4ddd4a0f8cde10c990e6167fefb95a311ccec
SHA256

9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885
SHA512

d1521cd2ca9e064a08f4252bd82c0b6c97c464c49cd327a201d085107201e9cac02a9b311e042e79ee1eddee482975afea1ef0682e2c8bbd74e1415f23cbe1cf
SSDEEP

3072:VUrql9LC/xRNNWY+/BFsiLMcOQlBDQiOKehsPsPn0ScNMvlL+l0A+5NnpINCfh1:VUraLC/xRPO/BmjJQlNKhskHcwL+W/b

Score

10^/10

stealc systembc vidar discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

https://t.me/memve4erin

https://steamcommunity.com/profiles/76561199699680841

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0

Extracted

Family

systembc

173.211.46.4:4299

127.0.0.1:4299

Signatures

Detect Vidar Stealer 9 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/3044-3-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/3044-2-0x0000000000220000-0x0000000000255000-memory.dmp	family_vidar_v7
behavioral1/memory/3044-99-0x0000000000400000-0x0000000002378000-memory.dmp	family_vidar_v7
behavioral1/memory/3044-251-0x0000000000400000-0x0000000002378000-memory.dmp	family_vidar_v7
behavioral1/memory/3044-253-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/3044-407-0x0000000000400000-0x0000000002378000-memory.dmp	family_vidar_v7
behavioral1/memory/3044-612-0x0000000000400000-0x0000000002378000-memory.dmp	family_vidar_v7
behavioral1/memory/3044-712-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/3044-710-0x0000000000400000-0x0000000002378000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2904	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

FCAECAKKFB.exe

pid	Process
2804	FCAECAKKFB.exe

Loads dropped DLL 4 IoCs

Processes:

9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe

pid	Process
3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe
3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe
3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe
3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

FCAECAKKFB.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\ProgramData\\FCAECAKKFB.exe'\""	FCAECAKKFB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2348	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe

pid	Process
3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe
3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe
3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.execmd.exe

description	pid	Process	procid_target
PID 3044 wrote to memory of 2804	3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe	32
PID 3044 wrote to memory of 2804	3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe	32
PID 3044 wrote to memory of 2804	3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe	32
PID 3044 wrote to memory of 2804	3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe	32
PID 3044 wrote to memory of 2904	3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe	33
PID 3044 wrote to memory of 2904	3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe	33
PID 3044 wrote to memory of 2904	3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe	33
PID 3044 wrote to memory of 2904	3044	9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe	33
PID 2904 wrote to memory of 2348	2904	cmd.exe	35
PID 2904 wrote to memory of 2348	2904	cmd.exe	35
PID 2904 wrote to memory of 2348	2904	cmd.exe	35
PID 2904 wrote to memory of 2348	2904	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe
"C:\Users\Admin\AppData\Local\Temp\9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044
- C:\ProgramData\FCAECAKKFB.exe
  "C:\ProgramData\FCAECAKKFB.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\9fd04eb7256cd879dc38ea0765ffc538b89e708ba30250f23d947c3713f97885.exe" & rd /s /q "C:\ProgramData\GIJDGCAEBFII" & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 10
    3⤵
    - Delays execution with timeout.exe
    PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab2A7C.tmp

Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2D70.tmp

Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
\ProgramData\FCAECAKKFB.exe

Filesize
7KB

MD5
557331587055f884e301b299883620ec

SHA1
cff40f1845dc2749fe352a280808d08c468b9a0e

SHA256
cd83bbe57e977043d1ec53f43cc9f879c5b37944a8586cfad729e10e6d596d0d

SHA512
2e5fdec1b587b4745da169177b47c20b9ab91e45637b227998f907f3a303a00eaf4bfb71165e898b3d2de603739cc46c226cefacbef208416acff67f1d3f9b08

Download Submit
memory/3044-253-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/3044-3-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/3044-99-0x0000000000400000-0x0000000002378000-memory.dmp

Filesize
31.5MB

Download
memory/3044-149-0x0000000014480000-0x00000000146DF000-memory.dmp

Filesize
2.4MB

Download
memory/3044-251-0x0000000000400000-0x0000000002378000-memory.dmp

Filesize
31.5MB

Download
memory/3044-252-0x0000000002450000-0x0000000002550000-memory.dmp

Filesize
1024KB

Download
memory/3044-2-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/3044-407-0x0000000000400000-0x0000000002378000-memory.dmp

Filesize
31.5MB

Download
memory/3044-612-0x0000000000400000-0x0000000002378000-memory.dmp

Filesize
31.5MB

Download
memory/3044-1-0x0000000002450000-0x0000000002550000-memory.dmp

Filesize
1024KB

Download
memory/3044-711-0x0000000002450000-0x0000000002550000-memory.dmp

Filesize
1024KB

Download
memory/3044-712-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/3044-710-0x0000000000400000-0x0000000002378000-memory.dmp

Filesize
31.5MB

Download