stealc

Sharing

Copy URL

Twitter E-mail

General

Target

fc77e5bdbc74120a3003bac0021871ccf74a182ce068aece06a7acf00363810c
Size

1.7MB
Sample

241205-vntajatmbw
MD5

84512cfe6f46326bb652e4344b8679e0
SHA1

739d769713a65bb9ddfde72b73431b3346c9b613
SHA256

fc77e5bdbc74120a3003bac0021871ccf74a182ce068aece06a7acf00363810c
SHA512

bb4960b3a6d4ba4efaed6fcc9bcbcce6758d49451421643ca4d4da323a838a831e204f024c34346a8e207d77c635c2eed2da9f561a7d884ce70e58c4fd801e0c
SSDEEP

49152:jdnHrgCeeRICl5N1rqrJTe4ONoXBo7rH06BR:jRLgCeeHNRF4ONyi7rH06BR

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

11.8

Botnet

41d35cbb974bc2d1287dcd4381b4a2a8

https://t.me/fu4chmo

https://steamcommunity.com/profiles/76561199802540894

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Targets

- Target
  
  InstalIеr-x86/Qts5Svg.dll
- Size
  
  253KB
- MD5
  
  a7d192e6f464e759391c782fa4c3db18
- SHA1
  
  bce12f057a2a6e3dfea381892c0206788acd00df
- SHA256
  
  bd76dfd40334035338284301256488505b15ec952f1fcab696551fdd69c5eb18
- SHA512
  
  01b5b708dc89354358294b97cb08f8bf2d96f55f08dd5825c63f1ce1fe0b213e56863a78900de13ab7ddf0da5a6c1a2d2f252ef7f28159f645a2e4d2de6dcc87
- SSDEEP
  
  6144:sKD4dwpLEE61jMW52NP5xwuMnyOWYGcy8Dv4Cnke+9oCsGhvdw61IwxP4zd:sKD42pLEE6mw2NPnBMIBrU
Score

1^/10
behavioral1 behavioral2
- Target
  
  InstalIеr-x86/SbieMsg.dll
- Size
  
  3.1MB
- MD5
  
  1d531229c003c1bb3e93cfb9fae79ebf
- SHA1
  
  f481e660e79c146604f2a512fd66fda1d1ca38f5
- SHA256
  
  74a9d7d248fbf81ba1d6bc6c6f921d6fed52b71d4bcde4fcec490cdb0b0d7285
- SHA512
  
  f84d6bbacc0aa4b44ed92e1336c553075d0168bc9a876404c2c03f9262b6888f5f22915a2cfcd1593245918c7c7f92e52b5ad4ba3c4d761756184d60a2794284
- SSDEEP
  
  12288:z2VpSiFSJYeUvaOen/aMWz1O6125RXvPtu6jAO2Ifq2TvpC4X:zuxv6OenC7Q6125RXvPk6jA23
Score

1^/10
behavioral3 behavioral4
- Target
  
  InstalIеr-x86/SbieShelIPkc.dll
- Size
  
  10KB
- MD5
  
  ab87c29e560226a3604d004e049eda48
- SHA1
  
  b1aee6cf1d58510b75f7fa4ad1b1ac5f9d0eb147
- SHA256
  
  c7164a3d901a6658d94db02edaef0615d08df5e2ee15d1e6468be9de8a6b17dd
- SHA512
  
  20c2a47fe3201a5b8e21b1d3a998f7d4ef66fe0153e0f2983674632617fcaa37a704795d5215720943804a0136a2635fc8bab589d453ec5b5f45916f0f7a53e7
- SSDEEP
  
  192:Je8ARCKz6Nl9vXhUc2jawG31caVkbhY6en2SUhfinDHx:g8At4vXzwJVYH2ScfMd
Score

1^/10
behavioral5 behavioral6
- Target
  
  InstalIеr-x86/TTDesktop18.exe
- Size
  
  26.0MB
- MD5
  
  13eb2bb3303156d695ecf3f2b2c09eb7
- SHA1
  
  db1f2877681d02201c6c9d71d8c52a872c3612b9
- SHA256
  
  8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b
- SHA512
  
  6f44a7f1612f0eb4843c1e0de757a03f53d2b14e7aa8b7f983c2ca9baf0701d30f129edeab9c889655840782a1289fb4d0bf0699223e3c584afdaa4ee5172172
- SSDEEP
  
  192:0qgaiJUFTQcHVPtAXjJ9vT2O3yP8B50LOZdBcmCEJXVWwTnkVOvQu:57zFEcH769vT2OCkB50LknnVTnkVUQ
Score

10^/10

discovery execution stealc vidar 41d35cbb974bc2d1287dcd4381b4a2a8 stealer
- Detect Vidar Stealer
  stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral7 behavioral8
- Target
  
  InstalIеr-x86/cfg/platforms/qwindows.dll
- Size
  
  1.5MB
- MD5
  
  7a95a2ac88ee34613da76af12a8f6375
- SHA1
  
  f5dc8fe31229639bd3fe28b52249af29722e0301
- SHA256
  
  e9b4e3c270d7b64eb06871e8d5022d4ea768d93bdd205faab070c6fae695e550
- SHA512
  
  602650ee2657e069523e17677eb3c29a0f7e5aa0ed5b44127c368265f7fed020c93c65fb5af2cd1fc54cd1e4dd278ba1498d248910eac1e60dd09b282a2dfe90
- SSDEEP
  
  49152:yhteEDXKprit/jl70BkHiZsuu4EkYBdpV:5Wt/q38Bd
Score

1^/10
behavioral10 behavioral9
- Target
  
  InstalIеr-x86/cfg/styles/qwindowsvistastyle.dll
- Size
  
  226KB
- MD5
  
  6bea57a7fd8f380de36b89d9bfa6a209
- SHA1
  
  dbcdf8cbbc8914b2a2fbbd81362dc6cd97378a8e
- SHA256
  
  8a864f327756bc0ed0d16c52f37c4c652e7f440081199dcea93ce5839442ee69
- SHA512
  
  d4c28ee0be0f986be7e8c07e4b42393824836e084cee89cf699a1a3d911f1280201321666f070ce743a34ea5810b85b0cc4207f72d55e88c62509d3e070d1b8a
- SSDEEP
  
  3072:zesbD7Kt3oc+kwwPyjHB3UxqFBArvxXJblgQfMJa5MBuiOWnCT0NGcIRS:P+o3GPYBUeyvxXplPqBuiOWnCT0NYR
Score

1^/10
behavioral11 behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Vidar Stealer

Stealc family

Vidar

Vidar family

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12