Overview

overview

10

Static

static

1

SETAP_9090...10.dll

windows7-x64

1

SETAP_9090...10.dll

windows10-2004-x64

1

SETAP_9090...nw.exe

windows7-x64

1

SETAP_9090...nw.exe

windows10-2004-x64

10

SETAP_9090...40.dll

windows7-x64

1

SETAP_9090...40.dll

windows10-2004-x64

1

SETAP_9090...pp.dll

windows7-x64

3

SETAP_9090...pp.dll

windows10-2004-x64

3

SETAP_9090...1].exe

windows7-x64

1

SETAP_9090...1].exe

windows10-2004-x64

1

SETAP_9090...1].exe

windows7-x64

1

SETAP_9090...1].exe

windows10-2004-x64

3

SETAP_9090...1].exe

windows7-x64

1

SETAP_9090...1].exe

windows10-2004-x64

1

SETAP_9090...-1.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

SETAP_9090...-0.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    79s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SETAP_9090__Pa$$W0rdS~!!/pythonw.exe

  • Size

    94KB

  • MD5

    9a4cc0d8e7007f7ef20ca585324e0739

  • SHA1

    f3e5a2e477cac4bab85940a2158eed78f2d74441

  • SHA256

    040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

  • SHA512

    54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

  • SSDEEP

    1536:9M/AhIxHHWMpdPa5wiE21M8kJIGFvb1Cwn/ZDs5yf:9M4SwMpdCq/IM8uIGfV/ZDso

Score
10/10
stealcvidardiscoveryspywarestealer

Malware Config

Extracted

Family

stealc

rc4.plain

Signatures

  • Detect Vidar Stealer 2 IoCs
    stealer
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Detects Windows executables referencing non-Windows User-Agents 2 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 2 IoCs
  • Detects executables containing potential Windows Defender anti-emulation checks 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe
    "C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe
      C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4804
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\SysWOW64\netsh.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\Users\Admin\AppData\Local\Temp\coml.au3
          C:\Users\Admin\AppData\Local\Temp\coml.au3
          4⤵
          • Checks computer location settings
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\coml.au3" & rd /s /q "C:\ProgramData\BAECFHJEBAAF" & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5108
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 10
              6⤵
              • Delays execution with timeout.exe
              PID:4404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9ed5ce50
    Filesize

    6.8MB

    MD5

    d81f39cdad84738e004757bc319c03b8

    SHA1

    23f374ee188879ef7f0e05177e38fcd9d04d4b82

    SHA256

    51b26d1f5b676ad1cb3b5a13a958ea0635c35ea44883ab3992d29c1af31b36b9

    SHA512

    c7a7fb4db6d0222f240812df2bb94aa15e2063fbb4da83d2aa09675b48f8aab9391efc814b85f881b9494dc1691bb0369c4f0d375594729db879ccbc9082d91d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\coml.au3
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Httva\VCRUNTIME140.dll
    Filesize

    106KB

    MD5

    49c96cecda5c6c660a107d378fdfc3d4

    SHA1

    00149b7a66723e3f0310f139489fe172f818ca8e

    SHA256

    69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

    SHA512

    e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Httva\ear.eml
    Filesize

    68KB

    MD5

    58b327325f4203803325c7901fb16ccd

    SHA1

    6fa0f727ebdaf965744ecf0c67cc6b3fcc745620

    SHA256

    83477ae6d1da7c9f4a88f067b9f15691c66c51c4c82078ab468cc0c04d0d426c

    SHA512

    a1c85c473490f4eb5008a45a8af9909cb1caf0dd84602ed7ea08c593091a979d0814cd3c7a2cf6681790162e13315f482a05f53477428b1c946e2d96740eb307

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Httva\python310.dll
    Filesize

    4.3MB

    MD5

    e31064ef0869d01beb4841879a87a391

    SHA1

    7c26d7c27215afa8304df18a7a6bc4a03eaf70c5

    SHA256

    2c9b70db08be7e17ee33130cc8ace2d02d381f7fd9a5cc3b52be9a2e4727c006

    SHA512

    50036e765f8c95f8511f6961888e42378225c98cf0f57423c3c91a6b154d2220be251e38f1ab04f59cace563c6a8701b08097762f71f875b371655dbdb560622

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe
    Filesize

    94KB

    MD5

    9a4cc0d8e7007f7ef20ca585324e0739

    SHA1

    f3e5a2e477cac4bab85940a2158eed78f2d74441

    SHA256

    040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

    SHA512

    54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Httva\towel.vhd
    Filesize

    6.2MB

    MD5

    5b9a5e459770a6dd896c725ba08a1e95

    SHA1

    546e8af7d2c72661ff63e9f57ab3ff009b863041

    SHA256

    fff2204de2ce109fe1d8e014e9508368c38d40d9f863678bcf3129978f9db424

    SHA512

    cc4673cb0b411a26a89a9c22241b5fca0107a11ecf1c8dfad1ec65060e64894fc7b2668cfd8ba1f18236b67fb21985fb8cbf5c3c7213d5040ecbad59d9ef6c22

    Download Submit
  • memory/1824-22-0x000000007450E000-0x0000000074510000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1824-27-0x0000000074501000-0x000000007450F000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1824-23-0x0000000074501000-0x000000007450F000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1824-20-0x00007FFFBC790000-0x00007FFFBC985000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/2628-44-0x0000000000E30000-0x000000000157C000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/2628-29-0x0000000000E30000-0x000000000157C000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/2628-31-0x00007FFFBC790000-0x00007FFFBC985000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/2628-32-0x0000000061E00000-0x0000000061EF3000-memory.dmp
    Filesize

    972KB

    Download
  • memory/2668-0-0x00007FFF9E640000-0x00007FFF9E7B2000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/4804-16-0x00007FFF9EA60000-0x00007FFF9EBD2000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/4804-15-0x00007FFF9EA78000-0x00007FFF9EA79000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4804-14-0x00007FFF9EA60000-0x00007FFF9EBD2000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/4804-17-0x00007FFF9EA60000-0x00007FFF9EBD2000-memory.dmp
    Filesize

    1.4MB

    Download