General
-
Target
appFile_debump.exe.v
-
Size
37.5MB
-
Sample
240926-sp6adaxbqg
-
MD5
6c3b270516a2731b1432f04cdefbb285
-
SHA1
454081d69cf999c960cd03ebba0e38660738b8c5
-
SHA256
9373f8ad1f33c0286734265cb5e60e69627fb5fd8f2220c655e6afa2d6ebda06
-
SHA512
81ac6b5063d6927c01106b157e87f1f665c36bfc5dc8d24d1d8dc977d5d8918d07d3e9ed962d3b476f33be452c4d1cd68719f0ee35e712805ef141490a73cd3a
-
SSDEEP
393216:ueXoa1bbXgKzn6vZrBoCMHUqbvkH/igbqmA8MLdculzFTi6AcsdNidnGF3rB:54CbwKzcHoDcH7qm6bTixca0ArB
Malware Config
Extracted
vidar
11
3a15237aa92dcd8ccca447211fb5fc2a
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Extracted
stealc
save
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Targets
-
-
Target
appFile_debump.exe.v
-
Size
37.5MB
-
MD5
6c3b270516a2731b1432f04cdefbb285
-
SHA1
454081d69cf999c960cd03ebba0e38660738b8c5
-
SHA256
9373f8ad1f33c0286734265cb5e60e69627fb5fd8f2220c655e6afa2d6ebda06
-
SHA512
81ac6b5063d6927c01106b157e87f1f665c36bfc5dc8d24d1d8dc977d5d8918d07d3e9ed962d3b476f33be452c4d1cd68719f0ee35e712805ef141490a73cd3a
-
SSDEEP
393216:ueXoa1bbXgKzn6vZrBoCMHUqbvkH/igbqmA8MLdculzFTi6AcsdNidnGF3rB:54CbwKzcHoDcH7qm6bTixca0ArB
Score10/10-
Detect Vidar Stealer
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
3Windows Service
3Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1