General

  • Target

    #Nḙw_PCŜétup-44017-Pa$$wrD!!.rar

  • Size

    7.1MB

  • Sample

    240618-qaccmsvbnc

  • MD5

    0bae1027ac221f6da2c7ce403c9800e2

  • SHA1

    5b45b222de60318d34b4caa6eecc5944b7bc63bd

  • SHA256

    1606dc0cfa75904afa9a73126bb35935db1c49944542108f4dd4c95b06dedad4

  • SHA512

    d7987a006f7a536790072889586960d38d33f24db5a562b55bc9cb9ab679b133ebbf494af214ec4e8320c6a55fdd06d23107b650c6292e7fa505bdc985e27411

  • SSDEEP

    196608:CfNgzYJt8DGTestkHRlWUQzpqBjTQlCni:C1gsJt8SFtORlWUL54Ci

Malware Config

Extracted

Family

stealc

rc4.plain

Targets

    • Target

      Set-up.exe

    • Size

      135KB

    • MD5

      a2d70fbab5181a509369d96b682fc641

    • SHA1

      22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

    • SHA256

      8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

    • SHA512

      219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

    • SSDEEP

      1536:URLRDTAC1CMoR1CqabJWt7AQFYMGhw1ScCD28v2Vv428fmvxOuw03h9VC:URdV1CMoiqadTQFBGhw1ED28+94hGw

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks