Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample Name:B7VbZC8QLf.exe
Original Sample Name:763c3550f4e0a97baa4ebd6fc8c61996.exe
Analysis ID:832130


Stealc, Vidar
Range:0 - 100


Multi AV Scanner detection for submitted file
Yara detected Stealc
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Vidar stealer
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to steal Crypto Currency Wallets
Self deletion via cmd or bat file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Found evasive API chain (may stop execution after checking locale)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)


  • System is w10x64
  • B7VbZC8QLf.exe (PID: 2492 cmdline: C:\Users\user\Desktop\B7VbZC8QLf.exe MD5: 763C3550F4E0A97BAA4EBD6FC8C61996)
    • cmd.exe (PID: 5956 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\B7VbZC8QLf.exe" & del "C:\ProgramData\*.dll"" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6092 cmdline: timeout /t 5 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar
{"C2 url": "http://jerrysmith.online/410b5129171f10ea.php"}
{"C2 url": "http://jerrysmith.online/410b5129171f0ea.php"}
  • 0x4aad:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.352104857.00000000023F5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
    00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.351827343.0000000000972000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 3 entries
        0.2.B7VbZC8QLf.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.B7VbZC8QLf.exe.8a0e67.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            • 0x78246:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
            No Sigma rule has matched
            Timestamp: 03/22/23-11:21:17.410796
            Source Port:49690
            Destination Port:80
            Classtype:A Network Trojan was detected
            Timestamp: 03/22/23-11:21:17.890075
            Source Port:49691
            Destination Port:80
            Classtype:A Network Trojan was detected
            Timestamp: 03/22/23-11:21:18.044660
            Source Port:49692
            Destination Port:80
            Classtype:A Network Trojan was detected

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            Source: B7VbZC8QLf.exeReversingLabs: Detection: 29%
            Source: B7VbZC8QLf.exeVirustotal: Detection: 37%Perma Link
            Source: B7VbZC8QLf.exeJoe Sandbox ML: detected
            Source: 0.2.B7VbZC8QLf.exe.8a0e67.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 0.3.B7VbZC8QLf.exe.8c0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Vidar {"C2 url": "http://jerrysmith.online/410b5129171f0ea.php"}
            Source: 0.2.B7VbZC8QLf.exe.400000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://jerrysmith.online/410b5129171f10ea.php"}
            Source: C:\Users\user\Desktop\B7VbZC8QLf.exeCode function: 0_2_0040D983 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_0040D983
            Source: C:\Users\user\Desktop\B7VbZC8QLf.exeCode function: 0_2_00404CAA LocalAlloc,StrStrA,memcmp,CryptUnprotectData,LocalAlloc,LocalFree,0_2_00404CAA
            Source: C:\Users\user\Desktop\B7VbZC8QLf.exeCode function: 0_2_0040B967 RegEnumValueA,lstrcat,lstrcat,StrStrA,GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,lstrcpy,GetProcessHeap,HeapFree,lstrcat,lstrcpy,wsprintfA,lstrcat,lstrcat,RegEnumValueA,0_2_0040B967
            Source: C:\Users\user\Desktop\B7VbZC8QLf.exeCode function: 0_2_00406790 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,0_2_00406790
            Source: C:\Users\user\Desktop\B7VbZC8QLf.exeCode function: 0_2_00404BBC CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00404BBC


            Source: C:\Users\user\Desktop\B7VbZC8QLf.exeUnpacked PE file: 0.2.B7VbZC8QLf.exe.400000.0.unpack
            Source: B7VbZC8QLf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\B7VbZC8QLf.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior