Overview

overview

10

Static

static

1

#Active_Se...d#.rar

windows7-x64

10

#Active_Se...d#.rar

windows11-21h2-x64

3

Analysis

  • max time kernel
    115s
  • max time network
    61s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    #Active_Setup_2233_P@ssWord#.rar

  • Size

    12.7MB

  • MD5

    5ab48705895aba3e57b2efe8d4ac925d

  • SHA1

    5fa98c75bb60d7255a66c829d9e6c089cad580c3

  • SHA256

    cdb8b9d0d3cbe1cfa7158fcaa598d1297a90029706d72d9da6b63a1624494536

  • SHA512

    fe5add4d8993b84d04766b8efd2614c1bad4c4010ec8917cbbdf2d0822773f7c505db1be2cb1f635c6d98a1557cd1afa6ea092154e86c2b3cfaf52effbfb4db5

  • SSDEEP

    196608:FRRZ3+pcdkIyBVzza916yIwXF0xj+RRougEo+6+n8kpsGFfZ1OAm8zXYmLjWaRIU:dZXkFKGwXSkvzVD8JGF0uRl

Score
10/10
stealcvidarstealer

Malware Config

Extracted

Family

stealc

rc4.plain

Signatures

  • Detect Vidar Stealer 2 IoCs
    stealer
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 29 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 60 IoCs
  • Suspicious use of SendNotifyMessage 53 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\#Active_Setup_2233_P@ssWord#.rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#Active_Setup_2233_P@ssWord#.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1856
  • C:\Windows\system32\verclsid.exe
    "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
    1⤵
      PID:1880
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:1060
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#Active_Setup_2233_P@ssWord#.rar"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2004
    • C:\Users\Admin\Desktop\file\Setup.exe
      "C:\Users\Admin\Desktop\file\Setup.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\SysWOW64\netsh.exe
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2320
        • C:\Users\Admin\AppData\Local\Temp\coml.au3
          C:\Users\Admin\AppData\Local\Temp\coml.au3
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 148
            4⤵
            • Loads dropped DLL
            • Program crash
            PID:2516
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2028

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\4ac4075e
      Filesize

      6.8MB

      MD5

      0d91ffa72b4bdd27ea58d759f8942506

      SHA1

      8b9e411558ab95841497e8dfc407b60996475c62

      SHA256

      3f845a6f2b30cf23a34f1751400bb7ae12b9a4aa2114a8ae978f12df82290650

      SHA512

      1d575b32a2e7c9814abc7f25127abf30326c93a049624051302cd15aa8f582c6f00b75438887992ac0d929e14482c8343d0f4dda7dc21cac52d74ab185964e16

      Download Submit
    • C:\Users\Admin\Desktop\file\MSVCP140.dll
      Filesize

      564KB

      MD5

      1ba6d1cf0508775096f9e121a24e5863

      SHA1

      df552810d779476610da3c8b956cc921ed6c91ae

      SHA256

      74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823

      SHA512

      9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

      Download Submit
    • C:\Users\Admin\Desktop\file\VCRUNTIME140.dll
      Filesize

      106KB

      MD5

      49c96cecda5c6c660a107d378fdfc3d4

      SHA1

      00149b7a66723e3f0310f139489fe172f818ca8e

      SHA256

      69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

      SHA512

      e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

      Download Submit
    • C:\Users\Admin\Desktop\file\VCRUNTIME140_1.dll
      Filesize

      48KB

      MD5

      cf0a1c4776ffe23ada5e570fc36e39fe

      SHA1

      2050fadecc11550ad9bde0b542bcf87e19d37f1a

      SHA256

      6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

      SHA512

      d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

      Download Submit
    • C:\Users\Admin\Desktop\file\covalency.dwg
      Filesize

      79KB

      MD5

      5592c01b512749d9dce7c6d5861ee385

      SHA1

      ad19e91e76aadda703ae31e7bcc7602c5f67fc00

      SHA256

      77c5dfbc5c124b1e8acb65db529b5c2ef672aa5eb39d8d1ee89325db16efa6d7

      SHA512

      6811ca9ffe9fdbd7bf8ed56ab95f39b2d125054578105c1561b9c428960f771d31cc49367e43a86648f04e6b4bd3cd3ffbd2b403c89a8da5574265cd48c6b855

      Download Submit
    • C:\Users\Admin\Desktop\file\flutter_desktop_sleep_plugin.dll
      Filesize

      91KB

      MD5

      ae8bbd77a997d05c06e459f0f3faa5af

      SHA1

      843ae129debba252eaebce0459adccddc1315826

      SHA256

      9600697c57da5a1411a227eb5fc135f20d0ea292f458290d15fb959c1f75537e

      SHA512

      13067ed69244f94206e642b408143409b48fb976221dbbbbdd86f0b357a8b7b0cad334a6259751a718f2149e183d322bb8b03e26abff2cdcac2826a551e27d2f

      Download Submit
    • C:\Users\Admin\Desktop\file\flutter_windows.dll
      Filesize

      17.4MB

      MD5

      9a2d29e60f24ca70eaa24d10c67258c0

      SHA1

      56939d04faf49f1bf22a07446d217b7ffa3f9ba0

      SHA256

      a2916ec602bad9e0798019b96fcfe9d26b880c310402e913294c19bd700c429e

      SHA512

      c030d6a6a3e34c0e9af1925e4be7c84dd47f8523cc130985d0ced419d1d3f4a05c34082b21cc468c3e44e58fddc982f7592b1ce76a552ab146f079524b68b6d1

      Download Submit
    • C:\Users\Admin\Desktop\file\hermit.txt
      Filesize

      6.2MB

      MD5

      1c9e57f556f8b1365f755dea9ae368ac

      SHA1

      2cdde22689c2301245b2bfc79f42e39895d25e8f

      SHA256

      72d1f9bf1f669b2308e28522a00a689f960d5c38bc794d17b09d8552cd8906bc

      SHA512

      c2b434add9c23ec97a7a98b89a1814fc0ca2ba601501a569b2a5525da4940769f49548195969b6ccf82182b2f8e5ce0930d281799484c99418add7c65fbe2eb2

      Download Submit
    • C:\Users\Admin\Desktop\file\url_launcher_windows_plugin.dll
      Filesize

      92KB

      MD5

      7e6a40e0083af22b186b662553d679fc

      SHA1

      b74c38d1d33004fb27b1df8003ecd4b87a5739c1

      SHA256

      578323ec0b492e72987778af3811cd00b71171b1e84b92e720964543f8f3a183

      SHA512

      3ac74e807bddffc2965cb3878a51e5c7c3b5eab2dcf8bc1ffaa41a56e20460cd01ff6b9a00d78e1aa021f5b9c38ba4f4726d37bf42749da4fa208e3f8985c114

      Download Submit
    • C:\Users\Admin\Desktop\file\windows_single_instance_plugin.dll
      Filesize

      82KB

      MD5

      00c451a17ddfcd810086fb2ad794125a

      SHA1

      feba77a0ca91f828099a3444a93ff11b6ce40fe5

      SHA256

      f1430479210c19093d76435e5826e3578420933248b51164e11f0992f77ed1f1

      SHA512

      6ea4d2556e0b82d017cde2a3c5c9b2881daca6b5af0e92cd10be886047eb6303085244ac1bb764e96595b3ca448504591c976dfefbffca8c6cbabe28f81e78c3

      Download Submit
    • \Users\Admin\AppData\Local\Temp\coml.au3
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • \Users\Admin\Desktop\file\Setup.exe
      Filesize

      316KB

      MD5

      c637e5ecf625b72f4bef9d28cd81d612

      SHA1

      a2c1329d290e508ee9fd0eb81e7f25d57e450f8c

      SHA256

      111c56593668be63e1e0c79a2d33d9e2d49cdf0c5100663c72045bc6b76e9fe6

      SHA512

      727d78bab4fab3674eec92ca5f07df6a0095ab3b973dd227c599c70e8493592bb53bb9208cc6270713283ef0065acfad3203ddcf4dcb6d43f8727f09ceaaf2e4

      Download Submit
    • \Users\Admin\Desktop\file\tray_manager_plugin.dll
      Filesize

      113KB

      MD5

      65dcbb76cbb2bbb1684186f1520e888d

      SHA1

      25d656c1cb3c814776779bc53e0e2b937d8441f4

      SHA256

      9c7e0de576932c8b2149849c96f3493bcae215f6db5996dbaf5ae1788697e8f0

      SHA512

      e351547e551943db0267828e283797c81b593ec303cee4d4447226e86927acac93b87226e79e1a913a1ec397b4183b7ee81a2af8764f71d7fa73c41bb102d9ca

      Download Submit
    • memory/2028-213-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/2028-214-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/2028-235-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/2320-217-0x0000000077CA0000-0x0000000077E49000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/2320-219-0x0000000073C40000-0x0000000073DB4000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2512-226-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2512-225-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2512-228-0x0000000000810000-0x0000000000F5B000-memory.dmp
      Filesize

      7.3MB

      Download
    • memory/2512-236-0x0000000000810000-0x0000000000F5B000-memory.dmp
      Filesize

      7.3MB

      Download