Overview

overview

10

Static

static

1

06510b52e0...f4.exe

windows7-x64

10

06510b52e0...f4.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    003978c8812e39ddb74bf9d5005cb028.bin

  • Size

    199KB

  • Sample

    240913-bcnq5awbpg

  • MD5

    5e0b13565397465fe69ddc2f31603fee

  • SHA1

    7dfd6d01a8c50861ce9bc3a518ee5da5d89ee6bc

  • SHA256

    e374a6acfacda70b93aeaaf936a5cffe94f379b13ca74d005daadce91a89dd6d

  • SHA512

    29af9dddce57472e6dbbbe8c0c7ea42c87290a396f3ca18e83aa008ab537a180130fda703266aa98f9ab737d73cc94ee736e2b6134fd1f452d49c7c8f288ce9e

  • SSDEEP

    3072:cfllfDi31XrzG146UsC8sIt5ZTI5GNNhLZNQ5azPSYh9w/6V3FlD3VVPStLv5L:KlCXI80sItPI5GNNhLQ+PTJZKL

Score
10/10
stealcvidardefaultcredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes
  • url_path

    /c4754d4f680ead72.php

Extracted

Family

vidar

C2

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Targets

    • Target

      06510b52e07e89b5781f4ee3c7b4d94ff84c03931b3d7d93224294860feaccf4.exe

    • Size

      205KB

    • MD5

      003978c8812e39ddb74bf9d5005cb028

    • SHA1

      126f73c30469a1b7e9a04a670c35185b5df628bc

    • SHA256

      06510b52e07e89b5781f4ee3c7b4d94ff84c03931b3d7d93224294860feaccf4

    • SHA512

      7c0b7ec7dfe18f99cf850c80c3228f52537d5565b2950d4f0ef8cbbb7b19d1f5e2d128f3766dcede41711b4d3c5631c7f758dd61697b1e5978d596f98f54c31d

    • SSDEEP

      3072:ZtbSjQd8hj3W87zLGmQ3Dh7S+mzyswdHOWoF7MXAYIvpivdan8gMXLKYzEO:qEiFh7zamQTh7SzyhHfYMXAYrvdwqEO

    Score
    10/10
    stealcvidardefaultcredential_accessdiscoveryspywarestealer

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks