Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
22-06-2024 12:09
General
-
Target
8a2b3b8e6b4b4dd888503f88003177f842b8601a43397a8abb5827e866ab2c70.exe
-
Size
4.7MB
-
MD5
1570c3c8a9782660e2e96a584d620c68
-
SHA1
4710a5198ddfb7a6af032ea783136b03bd7bea19
-
SHA256
8a2b3b8e6b4b4dd888503f88003177f842b8601a43397a8abb5827e866ab2c70
-
SHA512
e66186ae33d9858ca6bccb399c8dbba1d36f5799c5a11415dc163637987105bd9753eb703959dffc0319c713b56fc174182bf3e88de7137b34ec7cae8404de2f
-
SSDEEP
49152:rwLX3Ex3SWH8pLzjJiqA4H4zu4vcCPXkyb9X4iPEAylTcUoFgZV0CX99:rwLXUx3H8dxirvHvbT8AocUoF0d
Malware Config
Extracted
stealc
Extracted
vidar
10.1
cac73a25dd295fef8853d330a75f6da4
https://t.me/memve4erin
https://steamcommunity.com/profiles/76561199699680841
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0
Signatures
-
Detect Vidar Stealer 3 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 18 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a2b3b8e6b4b4dd888503f88003177f842b8601a43397a8abb5827e866ab2c70.exe"C:\Users\Admin\AppData\Local\Temp\8a2b3b8e6b4b4dd888503f88003177f842b8601a43397a8abb5827e866ab2c70.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\CBGHCAKKFB.exe"C:\ProgramData\CBGHCAKKFB.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 684⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\ProgramData\FCFBGIDAEH.exe"C:\ProgramData\FCFBGIDAEH.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\IEHJDGIDBA.exe"C:\ProgramData\IEHJDGIDBA.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 684⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCBFBGDBKJKE" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- Delays execution with timeout.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
374KB
MD54adf8628310c11bc5929175855d16cb6
SHA110e2317fedbd27741212e89e0c2a1333bc775472
SHA2566f1f0ff69f7bf28a1116549249353fcbf944d8d559aaf9c3ecefddb08e341106
SHA512b3e5b61a6538fe9c14a40e9e144c0be6ea2b5b921d6f3158204a5ae408435191467a0d0054867199f4b0923d040d453f874ff1c004170aac57824171fe063734
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
342B
MD5b15405c6b56e6ff57b29bdbd6c06d261
SHA16984ee38d0a9dc540c6644633eded9aba045a2ce
SHA2567bbeb23926226dc6aa5b9f41541a8df614a6f3fd8c7623657bf8ad85e3ae27a4
SHA5129c1ca52fd456b187381e8e2fcffe9de0685c1aa5f71dc26d50a409869029f365ebd5176ee8355f7dc91672950b86e7daf5fb9a217385d75d82e5118aaf3bf5cb
-
Filesize
342B
MD56193f5723e456bf17454031483717fd4
SHA15ef7e0e04077be19ee246944ccf64c19203158ed
SHA25657b95bcddea501ba83e1d6eda706a39083a3c31b46aaab78dc31ead714921de1
SHA51268b1caa508c40e435fafaa65760bfa9e995911c9a265d7d9d84d92f11771a6049034feb951989742a65228a67a4f59c68018e9ab16999a8fc2ad983b6b9426d1
-
Filesize
242B
MD50fc209ff2d3400fcb4ecf7a82c30c283
SHA18238911ba942bb84567bac3458100588df0b50b1
SHA256a6c5ad2ad579de73094190ae361cd5170e13e73fee325c44a4cfdd971dd78fd1
SHA512e2e67d3bfb3afbb7ce68266ee1f60a63d2fd0b0c2fd5e92cb77a55de348d4046907cbd97b17cb9045b6f490111f26e5c6619090d6769583f903b2e37e2858fe5
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.8MB
MD59f7d8785aa5e359848ebe4d771f3de8d
SHA170161505853a4cb3b2dc7eb690bde8b0f23b4d82
SHA2569cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca
SHA512b26659c8e24baf0b489198eb28aafa4e29b5728432f522d22202fb5c3d288bd2e33aec88feca1d84b56d42f2dbb369ef517c37815f2c216bae4722bd5dd7700e
-
Filesize
525KB
MD5555259d9ac1f9da27667485bfc3ab9af
SHA159d61d0aa693f28ba68b0de8fd3b11dc206b76c4
SHA256fa4491dbe5eb3d35c9f5884d746235769999d536d30033f4cf38633ce2343ede
SHA512ee1e2b3ca43eff5384298c251f1f0b6184a8a892410f998e40202dbc1376da45a1af3643fd5f490c3cd3f1f5fd420759a121c892f969e016d2c0daf11209e45b
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
6.9MB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
4.7MB
-
Filesize
6.9MB
-
Filesize
816KB
-
Filesize
6.9MB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
112KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
392KB
-
Filesize
128KB