Analysis
-
max time kernel
90s -
max time network
123s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
25-06-2024 16:36
General
-
Target
2da1abbc4cc0cb6c5819206da60dbb09d72b02034ef375cd40ce289bdf2dc417.exe
-
Size
425KB
-
MD5
c64af626c4ed0784e010f5f2210e97f4
-
SHA1
03ff97d0f1530600ef134d64ddeabbe5770432a6
-
SHA256
2da1abbc4cc0cb6c5819206da60dbb09d72b02034ef375cd40ce289bdf2dc417
-
SHA512
b8905e33b1a01fc94ed440c7c435e58b2fb43639aa377118e1ab894de2bf20d52803fd80e73c863c4bb8b8fda6cf246e7d942cc8f985e3d81a9c7702af268f0a
-
SSDEEP
12288:tAZeNp7Ik3kXzCNAt8T7yejH2KlN2fq3S9:tAop5KCNEoWS3
Malware Config
Extracted
stealc
Extracted
vidar
10.1
cac73a25dd295fef8853d330a75f6da4
https://t.me/memve4erin
https://steamcommunity.com/profiles/76561199699680841
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0
Signatures
-
Detect Vidar Stealer 11 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2da1abbc4cc0cb6c5819206da60dbb09d72b02034ef375cd40ce289bdf2dc417.exe"C:\Users\Admin\AppData\Local\Temp\2da1abbc4cc0cb6c5819206da60dbb09d72b02034ef375cd40ce289bdf2dc417.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\DGDBAKKJKK.exe"C:\ProgramData\DGDBAKKJKK.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 3164⤵
- Program crash
-
-
-
C:\ProgramData\IDAEBGCAAE.exe"C:\ProgramData\IDAEBGCAAE.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 2524⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HCFBFBAEBKJK" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 3162⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1960 -ip 19601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5108 -ip 51081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3124 -ip 31241⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
632KB
MD5b60d8d01724703616e7cbbd320a9bd75
SHA116f170f595d6db225f1376315406bf10146d1743
SHA256cc6d774ca5b7d8d89289ccace5a25c5c3db0b30c330c10f0233c1d0cb8c9e24c
SHA5127560876438eb1401b542ff491e3d800b3ba06163ef62362f4e8a1e0bab26d809a24d045d396f2269648114c67ceb9dfec96f33f8b1491257b4240179345d0d00
-
Filesize
1.8MB
MD5c6c9f27d335d4e47b5ea12653e806be6
SHA1e53242d463e2c94383ec646e7e04504b96b4d176
SHA256514efbae5faa43878c743c3db36f81c25ab5d6da93b879b6e88e7a63b1b19769
SHA5127e00bdac39c89821b776dda372693d29e0e7188f8ef747037b971461af79545908f8fc8c9bbf7a30f1b0cc4ceea45632e91c1093e784002994808c19bd2a7347
-
Filesize
4KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.4MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
40KB
-
Filesize
472KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
432KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
4KB