stealc | b10c9d5286c17c05f587660664ab7f5723817fc98343c02c6b91ccc562e1019f | Triage

Submit
Reports

Overview

overview

Static

static

3

66fe13d56f...er.exe

windows10-1703-x64

Sharing

General

Target

66fe13d56fd43_EdgeOUpdater.exe
Size

26KB
Sample

241005-qstpmstfqm
MD5

cdb17e17bc4e4d51fde6a4620cec014c
SHA1

c184c6c58a66555685be713dcd2d11e6f0af7c37
SHA256

b10c9d5286c17c05f587660664ab7f5723817fc98343c02c6b91ccc562e1019f
SHA512

acde9cf8b3ee05efe99f5bd1e096e2016f0f6f7fc196f89f6a9592480ee0afe134d4ebdb2a5c6c8782290c5da31b07f9e58cc1722a9fe4bf70d9ca05e1b2417a
SSDEEP

384:HvVTF7OeRFOJPxyhd/jP+ZhxZL8fDPE5I0+TkFBUM9ekamBrqEjDD2DUj7+uWZFj:H95FOJPxQWV2/k7Uuhq4/+uWz

Score

10^/10

stealc vidar default discovery persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

66fe13d56fd43_EdgeOUpdater.exe

Resource

win10-20240611-en

stealc vidar default discovery persistence stealer

windows10-1703-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

vidar

C2

http://proxy.johnmccrea.com/

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Targets

- Target
  
  66fe13d56fd43_EdgeOUpdater.exe
- Size
  
  26KB
- MD5
  
  cdb17e17bc4e4d51fde6a4620cec014c
- SHA1
  
  c184c6c58a66555685be713dcd2d11e6f0af7c37
- SHA256
  
  b10c9d5286c17c05f587660664ab7f5723817fc98343c02c6b91ccc562e1019f
- SHA512
  
  acde9cf8b3ee05efe99f5bd1e096e2016f0f6f7fc196f89f6a9592480ee0afe134d4ebdb2a5c6c8782290c5da31b07f9e58cc1722a9fe4bf70d9ca05e1b2417a
- SSDEEP
  
  384:HvVTF7OeRFOJPxyhd/jP+ZhxZL8fDPE5I0+TkFBUM9ekamBrqEjDD2DUj7+uWZFj:H95FOJPxQWV2/k7Uuhq4/+uWz
Score

10^/10

stealc vidar default discovery persistence stealer
- Detect Vidar Stealer
  stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

stealcvidardefaultdiscoverypersistencestealer

© 2018-2025

Terms | Privacy