stealc | 55f3a969a56a2abde560a4d6997575a957527a8f4c1993bc2607162282e5265f

General

Target

out_sig.exe
Size

5.0MB
MD5

98169d8760c2fcb356c9583b09d44587
SHA1

0e5bcc84c99fc14c6fbf26e8ce195d6170dc0ad6
SHA256

55f3a969a56a2abde560a4d6997575a957527a8f4c1993bc2607162282e5265f
SHA512

4b37db47c6cf02afeeb394edf2580a03e790ca985b776d01591de2b202a7ea8ffd7a59c2679034fe9c90521aab91c4af2a3576f63517f6469f0178f767aa0308
SSDEEP

49152:C3TR+XFHckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1105jgv1fRbcy:CIHwrb64XwWsAwFaFXu+3

Score

10^/10

stealc vidar e4c95706ca9ca1f557526e6bb6442743 credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

10.7

Botnet

e4c95706ca9ca1f557526e6bb6442743

C2

https://steamcommunity.com/profiles/76561199751190313

https://t.me/pech0nk

Signatures

Detect Vidar Stealer 7 IoCs

stealer

resource	yara_rule
behavioral2/memory/1016-5-0x0000000000400000-0x000000000095D000-memory.dmp	family_vidar_v7
behavioral2/memory/3288-4-0x0000000000960000-0x0000000000BA3000-memory.dmp	family_vidar_v7
behavioral2/memory/3288-9-0x0000000000960000-0x0000000000BA3000-memory.dmp	family_vidar_v7
behavioral2/memory/1016-7-0x0000000000400000-0x000000000095D000-memory.dmp	family_vidar_v7
behavioral2/memory/3288-26-0x0000000000960000-0x0000000000BA3000-memory.dmp	family_vidar_v7
behavioral2/memory/3288-27-0x0000000000960000-0x0000000000BA3000-memory.dmp	family_vidar_v7
behavioral2/memory/3288-28-0x0000000000960000-0x0000000000BA3000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	out_sig.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IoloManager = "C:\\Users\\Admin\\Pictures\\Iolo\\IoloManager.exe\u0b00"	out_sig.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	out_sig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	out_sig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	out_sig.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	out_sig.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4104	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3288	out_sig.exe
3288	out_sig.exe
3288	out_sig.exe
3288	out_sig.exe
3288	out_sig.exe
3288	out_sig.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 3288	1016	out_sig.exe	98
PID 1016 wrote to memory of 3288	1016	out_sig.exe	98
PID 1016 wrote to memory of 3288	1016	out_sig.exe	98
PID 1016 wrote to memory of 3288	1016	out_sig.exe	98
PID 1016 wrote to memory of 3288	1016	out_sig.exe	98
PID 3288 wrote to memory of 860	3288	out_sig.exe	101
PID 3288 wrote to memory of 860	3288	out_sig.exe	101
PID 3288 wrote to memory of 860	3288	out_sig.exe	101
PID 860 wrote to memory of 4104	860	cmd.exe	103
PID 860 wrote to memory of 4104	860	cmd.exe	103
PID 860 wrote to memory of 4104	860	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\out_sig.exe
"C:\Users\Admin\AppData\Local\Temp\out_sig.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\out_sig.exe
  "C:\Users\Admin\AppData\Local\Temp\out_sig.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\out_sig.exe" & rd /s /q "C:\ProgramData\FIECBFIDGDAK" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-0-0x0000000000400000-0x000000000095D000-memory.dmp

Filesize
5.4MB

Download
memory/1016-1-0x0000000000400000-0x000000000095D000-memory.dmp

Filesize
5.4MB

Download
memory/1016-2-0x00000000008DD000-0x00000000008E8000-memory.dmp

Filesize
44KB

Download
memory/1016-3-0x0000000000400000-0x000000000095D000-memory.dmp

Filesize
5.4MB

Download
memory/1016-5-0x0000000000400000-0x000000000095D000-memory.dmp

Filesize
5.4MB

Download
memory/1016-7-0x0000000000400000-0x000000000095D000-memory.dmp

Filesize
5.4MB

Download
memory/3288-4-0x0000000000960000-0x0000000000BA3000-memory.dmp

Filesize
2.3MB

Download
memory/3288-9-0x0000000000960000-0x0000000000BA3000-memory.dmp

Filesize
2.3MB

Download
memory/3288-13-0x0000000000400000-0x000000000095D000-memory.dmp

Filesize
5.4MB

Download
memory/3288-26-0x0000000000960000-0x0000000000BA3000-memory.dmp

Filesize
2.3MB

Download
memory/3288-27-0x0000000000960000-0x0000000000BA3000-memory.dmp

Filesize
2.3MB

Download
memory/3288-28-0x0000000000960000-0x0000000000BA3000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads