stealc | 81e9674a18dcb4fad7e6314b353b71de92f04116438b950fdf177a1b0c5f1525

Analysis

max time kernel
49s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox Cheat Free.rar
Size

1.6MB
MD5

4ba1bd42e77a2370c240d08e568efc72
SHA1

b1d86361ed425fcf70e77f23d90867d87f1a7353
SHA256

81e9674a18dcb4fad7e6314b353b71de92f04116438b950fdf177a1b0c5f1525
SHA512

3482b3fb9c78958e482aa2115e661f7128b9bf9ea492d488810cb40d929f3a3e8ef6ee4e4ca94546afe8bd4be83ddd759aa743ba612abd4347e489eed8fa67d0
SSDEEP

49152:mwnklGp051IOBaI8QTkH/oXeUC3A4Z4gzk9JOw:mCAGpDOAI8QTu/rLwG4Yw

Score

10^/10

stealc vidar a17f83dafa130de24986f1ad305270d5 discovery stealer

Malware Config

Extracted

Family

vidar

Version

11.7

Botnet

a17f83dafa130de24986f1ad305270d5

https://t.me/m07mbk

https://steamcommunity.com/profiles/76561199801589826

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/1084-14-0x0000000000800000-0x0000000000A59000-memory.dmp	family_vidar_v7
behavioral1/memory/1084-19-0x0000000000800000-0x0000000000A59000-memory.dmp	family_vidar_v7
behavioral1/memory/1084-16-0x0000000000800000-0x0000000000A59000-memory.dmp	family_vidar_v7
behavioral1/memory/1084-22-0x0000000000800000-0x0000000000A59000-memory.dmp	family_vidar_v7
behavioral1/memory/1084-36-0x0000000000800000-0x0000000000A59000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Executes dropped EXE 1 IoCs

pid	Process
1888	Roblox.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1888 set thread context of 1084	1888	Roblox.exe	102

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4020	7zFM.exe
4020	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4020	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4020	7zFM.exe
Token: 35	4020	7zFM.exe
Token: SeSecurityPrivilege	4020	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4020	7zFM.exe
4020	7zFM.exe
4020	7zFM.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 1888	4020	7zFM.exe	96
PID 4020 wrote to memory of 1888	4020	7zFM.exe	96
PID 4020 wrote to memory of 1888	4020	7zFM.exe	96
PID 1888 wrote to memory of 1084	1888	Roblox.exe	102
PID 1888 wrote to memory of 1084	1888	Roblox.exe	102
PID 1888 wrote to memory of 1084	1888	Roblox.exe	102
PID 1888 wrote to memory of 1084	1888	Roblox.exe	102
PID 1888 wrote to memory of 1084	1888	Roblox.exe	102
PID 1888 wrote to memory of 1084	1888	Roblox.exe	102
PID 1888 wrote to memory of 1084	1888	Roblox.exe	102
PID 1888 wrote to memory of 1084	1888	Roblox.exe	102
PID 1888 wrote to memory of 1084	1888	Roblox.exe	102
PID 1888 wrote to memory of 1084	1888	Roblox.exe	102

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Roblox Cheat Free.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\AppData\Local\Temp\7zO4BF200F7\Roblox.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4BF200F7\Roblox.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO4BF200F7\Roblox.exe

Filesize
4.3MB

MD5
0348fffafb59ece4aa4e5304ee89488d

SHA1
6c1a2c3cb6e7a4b81e7c5011ff5b98e87d6740df

SHA256
679a1ccf565bc8e97f67637df2dfda231a2d5a4ea5d83cefa2fb2c6b390ed082

SHA512
0a37d386ff0924790706692503f1e18036f67d5841ed26b913249eddf336382d29fdb4e8d20d3b4a3d1cd31f57b7bf3a661e5f961b4054f84923c413423a7210

Download Submit
memory/1084-12-0x0000000000800000-0x0000000000A59000-memory.dmp

Filesize
2.3MB

Download
memory/1084-14-0x0000000000800000-0x0000000000A59000-memory.dmp

Filesize
2.3MB

Download
memory/1084-19-0x0000000000800000-0x0000000000A59000-memory.dmp

Filesize
2.3MB

Download
memory/1084-16-0x0000000000800000-0x0000000000A59000-memory.dmp

Filesize
2.3MB

Download
memory/1084-22-0x0000000000800000-0x0000000000A59000-memory.dmp

Filesize
2.3MB

Download
memory/1084-36-0x0000000000800000-0x0000000000A59000-memory.dmp

Filesize
2.3MB

Download