stealc | 863236c7bdd432650bad5cba9c9ecc5a89a65ca326cf2fc3dcfbe92da0c20072

General

Target

Roblox Cheat Free/Roblox.exe
Size

4.3MB
MD5

0348fffafb59ece4aa4e5304ee89488d
SHA1

6c1a2c3cb6e7a4b81e7c5011ff5b98e87d6740df
SHA256

679a1ccf565bc8e97f67637df2dfda231a2d5a4ea5d83cefa2fb2c6b390ed082
SHA512

0a37d386ff0924790706692503f1e18036f67d5841ed26b913249eddf336382d29fdb4e8d20d3b4a3d1cd31f57b7bf3a661e5f961b4054f84923c413423a7210
SSDEEP

49152:h/EsnrGL+AJ047LhE7z6UJflrOQy7BDfXMzs+EIdL7j4VyKcEtYAVttcYzGUX6lQ:h8srjg7lE7KXMzS5CV9o

Score

10^/10

stealc vidar a17f83dafa130de24986f1ad305270d5 discovery stealer

Malware Config

Extracted

Family

vidar

Version

11.7

Botnet

a17f83dafa130de24986f1ad305270d5

C2

https://t.me/m07mbk

https://steamcommunity.com/profiles/76561199801589826

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

Detect Vidar Stealer 7 IoCs

stealer

resource	yara_rule
behavioral1/memory/1168-1-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/1168-2-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/1168-3-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/1168-19-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/1168-20-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/1168-21-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/1168-22-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4388 set thread context of 1168	4388	Roblox.exe	101

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2832	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1168	BitLockerToGo.exe
1168	BitLockerToGo.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 1168	4388	Roblox.exe	101
PID 4388 wrote to memory of 1168	4388	Roblox.exe	101
PID 4388 wrote to memory of 1168	4388	Roblox.exe	101
PID 4388 wrote to memory of 1168	4388	Roblox.exe	101
PID 4388 wrote to memory of 1168	4388	Roblox.exe	101
PID 4388 wrote to memory of 1168	4388	Roblox.exe	101
PID 4388 wrote to memory of 1168	4388	Roblox.exe	101
PID 4388 wrote to memory of 1168	4388	Roblox.exe	101
PID 4388 wrote to memory of 1168	4388	Roblox.exe	101
PID 4388 wrote to memory of 1168	4388	Roblox.exe	101
PID 1168 wrote to memory of 4368	1168	BitLockerToGo.exe	104
PID 1168 wrote to memory of 4368	1168	BitLockerToGo.exe	104
PID 1168 wrote to memory of 4368	1168	BitLockerToGo.exe	104
PID 4368 wrote to memory of 2832	4368	cmd.exe	106
PID 4368 wrote to memory of 2832	4368	cmd.exe	106
PID 4368 wrote to memory of 2832	4368	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\Roblox Cheat Free\Roblox.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Cheat Free\Roblox.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\JKKEHJDHJKFI" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1168-0-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/1168-1-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/1168-2-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/1168-3-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/1168-19-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/1168-20-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/1168-21-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/1168-22-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing