stealc | b27f2ffda5054c513a5f0dc3bbdc067c78a82f2be201334703f1b45e477cd067

General

Target

Setup.exe
Size

2.0MB
MD5

e3d5b216c73c93fa570be1776d81da90
SHA1

dc66ddc93ed23831977a6dcf08a7b27786e0d169
SHA256

b27f2ffda5054c513a5f0dc3bbdc067c78a82f2be201334703f1b45e477cd067
SHA512

45a1d097a9e3f164c8b503f4aee0d3afcb747a57f0058c6f0f243f01739a7ecb5636095a72b04a38c0dd6cb0c3f8c12ccafdfd0051dc81f99911f657f9236669
SSDEEP

49152:KDjlabwz9ZDjlabwz9F62WMAQaPXvvvELJ8LPel0Pk:6qwvqwhBAh/vvYJ4PLM

Score

10^/10

stealc vidar discovery spyware stealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/bu77un

https://steamcommunity.com/profiles/76561199730044335

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/3216-64-0x0000000000470000-0x0000000000A1D000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	pikola.exe

Executes dropped EXE 2 IoCs

pid	Process
4644	pikola.exe
3216	rgawth.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
43	bitbucket.org

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3216	rgawth.exe
3216	rgawth.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rgawth.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rgawth.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3216	rgawth.exe
3216	rgawth.exe
3216	rgawth.exe
3216	rgawth.exe
3216	rgawth.exe
3216	rgawth.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3216	rgawth.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 4612	3128	Setup.exe	82
PID 3128 wrote to memory of 4612	3128	Setup.exe	82
PID 4612 wrote to memory of 4644	4612	cmd.exe	86
PID 4612 wrote to memory of 4644	4612	cmd.exe	86
PID 4644 wrote to memory of 3216	4644	pikola.exe	88
PID 4644 wrote to memory of 3216	4644	pikola.exe	88
PID 4644 wrote to memory of 3216	4644	pikola.exe	88

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\pikola.exe
    pikola.exe -ppivore
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\rgawth.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\rgawth.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
36B

MD5
57763e1c0b9a681adcbeabb751ef4ca5

SHA1
0173fdd3469f7e580719bf69e6f62f9616a36b06

SHA256
25135d26bc14f31825318db6d3f68e2abf826a6a76ac4d3647291045e6198610

SHA512
7dd34652b07235e31aa13beef7292da56851007a051d805ff9f378d998d3d5fe489fedc93cac28a3d242f6416c2026d3bcdd6d257963ab65a64edd30ebb87260

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pikola.exe

Filesize
1.6MB

MD5
ad70fa49c2c2231a2675f50ec84839a4

SHA1
bf06da874316e2d3a94f645736b985b6c4826325

SHA256
5e18f14a182675b8353f0b85c4aa003ea02e9f737274a55795c01a08d5d738e6

SHA512
6ea0c9935e67656ab86240030cef2a538fb3b719264bd75ab364b3b828ab0c46022019af62661e85d278a3b8af789b1da22641c99e45ea011fa2e8bbe6118186

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\rgawth.exe

Filesize
1.1MB

MD5
5bd956880091b64c30ecc00ba5b61ebd

SHA1
19efa2cc8399c6add9f0a30e1fb51535623e50a6

SHA256
04bd08936aaeb8ccef9552f8050c7f10f30690a4929bf10cb343b6cde614f5ca

SHA512
231d2bffb276b37a9660d6499cce85565b1a5891cec163a1959fa25970a0629ca3de02bf290ee4f9e28c2e503e5df2d5aaf9fa180c661403e8e7991f21df407c

Download Submit
memory/3216-18-0x0000000000470000-0x0000000000A1D000-memory.dmp

Filesize
5.7MB

Download
memory/3216-29-0x000000002A1C0000-0x000000002A41F000-memory.dmp

Filesize
2.4MB

Download
memory/3216-64-0x0000000000470000-0x0000000000A1D000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads