stealc | 7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/06/2024, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe
Size

5.7MB
MD5

9f9be61292c62089a46a872961cae046
SHA1

093e4fa849ad041d3237eeba9c1de4dfc1446ffa
SHA256

7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657
SHA512

8263e6a3f173a5339487637a1e2e6712602b7143e08034a37a2c73c9d191f7b9d423e1314627c016f4c905d47244f43d16959ab13aeae5a07ab8f08932c07227
SSDEEP

98304:3wCLKnCmxzvm3VZ2NVPClN4QxjK5TBJ5Kw19sbQ0G3chMdKBC:bLKCm0GNhC8b5tHTjaMdd

Score

10^/10

stealc vidar 56561c66bf3314a2b5cad65677212bfe stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

Version

10.1

Botnet

56561c66bf3314a2b5cad65677212bfe

https://t.me/memve4erin

https://steamcommunity.com/profiles/76561199699680841

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0

Signatures

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral1/memory/5028-66-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/5028-68-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/5028-71-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/5028-72-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/5028-73-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/5028-75-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1360 set thread context of 5028	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	84

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3084	timeout.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe
1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe
1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe
1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe
1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe
1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe
1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe
1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe
5028	MSBuild.exe
5028	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 1668	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	80
PID 1360 wrote to memory of 1668	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	80
PID 1360 wrote to memory of 1668	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	80
PID 1360 wrote to memory of 2724	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	81
PID 1360 wrote to memory of 2724	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	81
PID 1360 wrote to memory of 2724	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	81
PID 1360 wrote to memory of 2728	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	82
PID 1360 wrote to memory of 2728	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	82
PID 1360 wrote to memory of 2728	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	82
PID 1360 wrote to memory of 964	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	83
PID 1360 wrote to memory of 964	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	83
PID 1360 wrote to memory of 964	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	83
PID 1360 wrote to memory of 5028	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	84
PID 1360 wrote to memory of 5028	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	84
PID 1360 wrote to memory of 5028	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	84
PID 1360 wrote to memory of 5028	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	84
PID 1360 wrote to memory of 5028	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	84
PID 1360 wrote to memory of 5028	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	84
PID 1360 wrote to memory of 5028	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	84
PID 1360 wrote to memory of 5028	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	84
PID 1360 wrote to memory of 5028	1360	7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe	84
PID 5028 wrote to memory of 1032	5028	MSBuild.exe	86
PID 5028 wrote to memory of 1032	5028	MSBuild.exe	86
PID 5028 wrote to memory of 1032	5028	MSBuild.exe	86
PID 1032 wrote to memory of 3084	1032	cmd.exe	88
PID 1032 wrote to memory of 3084	1032	cmd.exe	88
PID 1032 wrote to memory of 3084	1032	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe
"C:\Users\Admin\AppData\Local\Temp\7e87bb624ca8aebac6a71494ac7d190e1266ad509ce872c0cecf7695eccfe657.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\FCAEBFIJKEBG" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1360-19-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-23-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-2-0x0000000005A50000-0x0000000005AEC000-memory.dmp

Filesize
624KB

Download
memory/1360-3-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1360-4-0x0000000005AF0000-0x0000000005C06000-memory.dmp

Filesize
1.1MB

Download
memory/1360-5-0x0000000005A20000-0x0000000005A3C000-memory.dmp

Filesize
112KB

Download
memory/1360-51-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-63-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-6-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-70-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1360-7-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-11-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-65-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-61-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-59-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-57-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-55-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-53-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-49-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-48-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-41-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-1-0x0000000000A40000-0x0000000000FFE000-memory.dmp

Filesize
5.7MB

Download
memory/1360-44-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-39-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-37-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-35-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-33-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-31-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-29-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-27-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-25-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-45-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-21-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-0-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/1360-17-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-15-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-13-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/1360-9-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/5028-71-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/5028-68-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/5028-66-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/5028-72-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/5028-73-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/5028-75-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download