Edit tour
Windows
Analysis Report
B7VbZC8QLf.exe
Overview
General Information
Detection
Stealc, Vidar
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Stealc
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Vidar stealer
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to steal Crypto Currency Wallets
Self deletion via cmd or bat file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Found evasive API chain (may stop execution after checking locale)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- B7VbZC8QLf.exe (PID: 2492 cmdline:
C:\Users\u ser\Deskto p\B7VbZC8Q Lf.exe MD5: 763C3550F4E0A97BAA4EBD6FC8C61996) - cmd.exe (PID: 5956 cmdline:
"C:\Window s\system32 \cmd.exe" /c timeout /t 5 & de l /f /q "C :\Users\us er\Desktop \B7VbZC8QL f.exe" & d el "C:\Pro gramData\* .dll"" & e xit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4332 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - timeout.exe (PID: 6092 cmdline:
timeout /t 5 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Vidar | Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. | No Attribution |
{"C2 url": "http://jerrysmith.online/410b5129171f10ea.php"}
{"C2 url": "http://jerrysmith.online/410b5129171f0ea.php"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
|
⊘No Sigma rule has matched
Timestamp: | 192.168.2.585.31.45.2249690802044243 03/22/23-11:21:17.410796 |
SID: | 2044243 |
Source Port: | 49690 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.585.31.45.2249691802044244 03/22/23-11:21:17.890075 |
SID: | 2044244 |
Source Port: | 49691 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.585.31.45.2249692802044246 03/22/23-11:21:18.044660 |
SID: | 2044246 |
Source Port: | 49692 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | Code function: | 0_2_0040D983 | |
Source: | Code function: | 0_2_00404CAA | |
Source: | Code function: | 0_2_0040B967 | |
Source: | Code function: | 0_2_00406790 | |
Source: | Code function: | 0_2_00404BBC |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |