Analysis
-
max time kernel
80s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
16-09-2024 07:24
General
-
Target
6a29ad0875e10f90cc6f55458e76f60b06a02da68ed6dcd8c9f856872ab2f053.exe
-
Size
293KB
-
MD5
2cc2bd304829360c40a79c5156173cc5
-
SHA1
d998655a0863734b4922c51209435333d7a7b940
-
SHA256
6a29ad0875e10f90cc6f55458e76f60b06a02da68ed6dcd8c9f856872ab2f053
-
SHA512
06b9e2844a9332f135542ed3dfcd356225d7c1fe987a919a0df11fd5209242edc751a5ac181aafcfaa487b8e59f81f9f07af70f0f59f6bd1b8d2c131b0060f44
-
SSDEEP
6144:kgBofTlaXr7498jq34VVgKzIZ8GkQ15OcqZwRyOEhqDmPyUgW7M9UhrEW/IEO:kdfZaXEyVgKqoQ15OcqZ+5E8cgcmjWwt
Malware Config
Extracted
vidar
https://t.me/fneogr
https://t.me/edm0d
https://steamcommunity.com/profiles/76561199768374681
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Signatures
-
Detect Vidar Stealer 22 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 5 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a29ad0875e10f90cc6f55458e76f60b06a02da68ed6dcd8c9f856872ab2f053.exe"C:\Users\Admin\AppData\Local\Temp\6a29ad0875e10f90cc6f55458e76f60b06a02da68ed6dcd8c9f856872ab2f053.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\KJKJKFCBKK.exe"C:\ProgramData\KJKJKFCBKK.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBAAAAKJKJE.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\AdminBAAAAKJKJE.exe"C:\Users\AdminBAAAAKJKJE.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFCBAECGIEB.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\AdminFCBAECGIEB.exe"C:\Users\AdminFCBAECGIEB.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
-
C:\ProgramData\EBFBKFBGII.exe"C:\ProgramData\EBFBKFBGII.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIIEBGCBGIDH" & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
11KB
MD57b0da8a001df899c45e9b55aef1db269
SHA122026d6dcbc18d91245e4d1005e10262a54b3249
SHA25690af799da7afe122bb55148d682829473726bd1db99928e80f7c193052cbdc5b
SHA512ad5e7f5d887559108de6a32f9fdd3ca564458956d3321effe31968f74980bdf92cff10cecbba7e4cd8f8062f27078a781a1b0aa98e2c98abd06e851948cc0ed1
-
Filesize
283KB
MD5449d3f0970fc9cd91a8f4bea664a0cd6
SHA12a2624a79afaf0fcb01c44f8106c8bf8933106e0
SHA25633da286e78538e3f5eda7b23c70578a1fda8a5b98069bd269b8a6035babe2b23
SHA512e7888f333695f9fe1cda7db15f154a1261ec7cb1b67e6efb9b5c19183f5b092bea736ca768a60a5f102982a3c8e5ea1bd79035ab15f3db37c104dad9c5a48d33
-
Filesize
114KB
MD5e110cbe124e96c721e3839076f73aa99
SHA102c668c17c7fae5613073e9641bc9bcff96c65a0
SHA256a793f3d212f395bfc8973231a22a6013c0e334443aa4172a8b5d611bb0f378a7
SHA5128d91ff245f703e5dbee68085e9ca0de4b2fc044befcf79977f46bb8bfd908fa0e22ec0dd6a2b400e9ff447f888b550635ed82ebda18575d17b1f3d478a45f5dc
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
207KB
MD5cd6646d9eddb6ed8900b5bd9da0597f2
SHA1d87cb53b2b10d804721c80894bccbc989df5acae
SHA256743948a05fa7b9a001b346699bc9fd4d645b755bc7ef73802b2a139288910f24
SHA51239060c059137fd3fd00405043e97608481bf2035090a0f5aafebec84975c701296e9227f3e61977a14d9767830be4cdf1b2fd36c443643b73ec135f438b8a8b6
-
Filesize
30KB
MD5d6240f07ecdd0e2af30c116b8baf0ed8
SHA1b8e11742481828d78de2df3bc995d4d519752e19
SHA2562e6947b3386dfa29b4fb34a3d4ff1db1fafb549d079b0fe3d103c65257616a7c
SHA512de0460900645369744773a28dca94015bea6a72be9b90c42e6b21c50797b33fad7b09e200b12b9bb54c10076c3c3ea8e4a6eb15e36c4ccf73473b886daea7573
-
Filesize
11KB
MD53016af45a4c7045b394c9a131197754e
SHA104ddb46a00ec97a965f199fdc80bb5eb1088a5c0
SHA256077707610bbfd5f1e371e5eebbf263de599863ae3fe3c3ca93bbe8a70eb3aedc
SHA5121bae6407a7870c2e0720b548b4e9b5855d2a1b155ad13be48173fb3625abe4141b94d1fbbbc32f177b5646dfe929de863e9bd68794c344cda5b304e927b01244
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
185KB
MD57e48e0175209d2215f076d61ec25eb76
SHA1aea491255f7522d38c683013fbbc4a15e77979af
SHA2563cd2089889c83ed1af3bef1d428037a4d415b15d501a0ad4f3f2ed62ce7a8cb2
SHA5125a0f7d295d5d739df171accb893f6577be090da17ccdac1ae996f9fad0b0f55d356e112369f372be7c71769ab4ee40d6fbe57575a93d3d628fe51f4594142879
-
Filesize
6KB
MD51db3b113ea14925949ea3452b564df26
SHA17b93c9ae6f741e2b7351b222a279aa9a45b3c86d
SHA25661bd0e9e6cee5cfdbe5c56816e87fa00bb58561b654271357a6acaf351036c5f
SHA51259975ae510fa57fd5105878f06943ddef5924a5cb42bfefb5b2816b2ec8adb12b4767d95784f7c476dabfaef66f8bf6f5413b0bc373987df6e4cb47d14448d69
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
321KB
MD55831ebced7b72207603126ed67601c28
SHA12ba46b54074675cc132b2c4eb6f310b21c7d7041
SHA25602097348db100eb22d46dc474a1078b5ddbb56ee916cc81f24fadd0a6938ac58
SHA512a9924ef2373851156d981bc3c5b5d533e8b510abf6c3f12e62af0c019e740f0d077efb8f7f93699d797335df33013c72fd9ead3b2253dd82f14b7b330faacb8e
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
2KB
MD5375415776602c95039b112490beef7b8
SHA160c665ce93548d1634b3b86419a0b31ed2ef267d
SHA2567adb9f2f9214814e7d669a867636b029862d5840cbfde3805be93d04f37a8939
SHA512f6f26f2b52be8f8815f354da5e1fd50de93e6b40a79ca6535b055e03db7cf01ef3a5017e1d857f2a3b8f5ec27103e3f053f613ec7343da1d3fb008894db73939
-
Filesize
2KB
MD54f28f91cf083663dc10c8c83d7fec78a
SHA14874e9a130dfa66257800c7e4c53f370fd29db84
SHA256fa6b9ac9ae1c57705c63fb5fe4cb721582f236dde25668a5f63a59769cb99287
SHA512e27e3df78d6c0bd6dde4479ef8538e7da4d907fcb2c31ae792b4bb7190465ff6a8f4651281a9a2bbad4939b4d0288feb22666945675b51f99b35611e2c8a8244
-
Filesize
504B
MD586950f5a653e1624573277324dd5f88b
SHA1771a75f62e942505dd4eb449dd8f090d2ee04183
SHA25677595f3804a8300e7712e3f88ab1dd47bea3596ec5f63178dedadb21da21af7b
SHA5123678d88496e446a04ffc5103e0a08b250b256729d93c68f26e6840d455c5bf084baf99ea506d27f0f63fb3ef0a2849179dd53032a5f5fa8b46b9da97d3c18b1d
-
Filesize
1KB
MD539dd18b819ba32ca53632f479d93e548
SHA1f4948bf5fe935263f25bd254d17f193f42eac43b
SHA2565fb8bb665baa6b5a09f0962d71661f6cad2c8276f89bd10783b36ccab0f468a1
SHA51249966211cc26a738cb1442f8fc24f37a28ff1563f37df959ebe3588684a3c4bacd79ffc361c678c6fee015b99c909450e16592efd6896d13e7a7d6d5234ff750
-
Filesize
192B
MD5fc6aa34c8f4d8226981b4fbe2b6f69b5
SHA14a4e8da0433b424f20f0c230e6f3c0b446f74fe9
SHA2561284b979012305f3041312ca84cf29540dc772af5b3da963c926b252590a5ab8
SHA5128872af563d7d79bb5f4debec1bee6e4fa5fde4e3e0ed43dd8ecc139822a317d9d41bf047077a4873251cc0a3669c1714dc3c0484520abae35082540ecdfe3964
-
Filesize
458B
MD5371540b483adfcfe3782b434c8d3caaa
SHA138419e2d850d43579358bc4edfd7453dc85afd3f
SHA256b007932d5738eff3ad4b37ade7a4631712710ead4ca74b585a246df029fc314e
SHA51201621322fac3bdbcf015d5dc56965cef888bbfb764764fab3aec6c1b242a4c8811bac242ccf0359bbf2010db9f7fa11057fe7714339311510fac43f21ff743a1
-
Filesize
450B
MD5650bff9fd69d69614852ebe0170539b6
SHA1c3c51361867bbd4363ef4ed06787f92cd7aa2c36
SHA2564903c959dfc10a198168a9796698448d6e56d0c611923f7618f373e514f5997d
SHA51238e4bf53e0824e9155ea2bb5734a8f2a50b482211e35c5876af69c9409c561f534aabb20ddcd859c9158a663e4fce7a4574caec4ab48967715f2ba2b15e7fbcf
-
Filesize
550B
MD5e273cb9cf928c07e9be1d769b6bbc30d
SHA1542e7b5aa3c6e69b5d1b2f633ad0ab7b36f4f837
SHA256d008a079901e6277ee53e30742a62f59da628a32161e9160039a85567d688e0d
SHA512adfcbaddf9de6553fb116f097b98d9affed6a06dd9078d50406ef5b29c7392cc50f1441809dc4692e1b01ef941faa99a698c49ce2fcb0ed9570f0905e03aeb73
-
Filesize
458B
MD5c721dc2207a727b09512281c91a3c237
SHA1563ac6245d1be9f56b8e4cac0a0ddf3faccbd57d
SHA256786170f3b9f99f3744ca4bd9403a96f07cc3160c0dbb2e4eea6455d50926f362
SHA512b807db6f11615361697f16631c9f3874073af96110fc8f861fae5c8fd13fd96701016b4b4453e1fc6829170025d7d2665886446ef92f38465f8c35e7de95df5f
-
Filesize
296KB
-
Filesize
2.4MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.4MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
336KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
224KB
-
Filesize
5.6MB
-
Filesize
972KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.4MB
-
Filesize
4KB
-
Filesize
296KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB