Overview

overview

10

Static

static

1

fc810b97cd...f1.exe

windows7-x64

10

fc810b97cd...f1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1

  • Size

    282KB

  • Sample

    240916-ltd85a1dmm

  • MD5

    7676e9e26e9d68ed4333b48962e246df

  • SHA1

    8acf019a18dcf8e817a5665fcbb9a2e17e5d448a

  • SHA256

    fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1

  • SHA512

    4d8b18a648d5248291714868d0bfa56e8f3e051b8db18551c4c422278767111766e1dfdc373ccddd0d6139f932dc273258113a69aff79c057716e80a1b2f5c22

  • SSDEEP

    6144:sobHX7AuhXt+uvGlAs5Y9hpgeGnXU0ms3HxpRxIEt4V68EO:lbHc2TeteqE0tXxpMECVZEO

Score
10/10
stealcvidardefaultcredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes
  • url_path

    /c4754d4f680ead72.php

Targets

    • Target

      fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1

    • Size

      282KB

    • MD5

      7676e9e26e9d68ed4333b48962e246df

    • SHA1

      8acf019a18dcf8e817a5665fcbb9a2e17e5d448a

    • SHA256

      fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1

    • SHA512

      4d8b18a648d5248291714868d0bfa56e8f3e051b8db18551c4c422278767111766e1dfdc373ccddd0d6139f932dc273258113a69aff79c057716e80a1b2f5c22

    • SSDEEP

      6144:sobHX7AuhXt+uvGlAs5Y9hpgeGnXU0ms3HxpRxIEt4V68EO:lbHc2TeteqE0tXxpMECVZEO

    Score
    10/10
    vidarcredential_accessdiscoveryspywarestealerstealcdefault

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks