General

  • Target

    #!~#0PEn_9797_P@$SW0rd~!^!!$.rar

  • Size

    7.7MB

  • Sample

    240618-p39ceaycnk

  • MD5

    78cd577ca78cfb7e34e8a8ea42fbf010

  • SHA1

    453ce0bbf1229ae3ae3a9d18163b5aa3d0d57a05

  • SHA256

    8a70aefa2707adfc89832e1e50d50643f0701eff060ffcf4f9259e9e083f69c9

  • SHA512

    9cb475830828cb3547f99694ea210080a81d3f5e0e1ab0f0a9891c255a7058d0a91c3805d4cbd5006554c75b97d33271d57e8105eff200f4dc3ec77f181ffb38

  • SSDEEP

    196608:MnKMnWcQwj8z5/Ft1FwE0u96ztCCoWWrJMEWx5lHnzYIJ6LCOH:M/3QW8Nd00kCP/WxbzYIU+C

Malware Config

Extracted

Family

stealc

rc4.plain

Targets

    • Target

      Setup.exe

    • Size

      2.3MB

    • MD5

      5d52ef45b6e5bf144307a84c2af1581b

    • SHA1

      414a899ec327d4a9daa53983544245b209f25142

    • SHA256

      26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616

    • SHA512

      458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48

    • SSDEEP

      49152:DzO+g39FbI0eQf/Z3CarWedoYAmXviDTMtT2wkqN5K:DzO19Fnf/hdoYAm9ZkqN5K

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks