Overview

overview

10

Static

static

c6c47d3d7e...6e.exe

windows7_x64

10

c6c47d3d7e...6e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294178s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    28-02-2022 03:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6c47d3d7e56213f0d0ced379c64e166ed5a86308ea96856163a4e0155b1fc6e.exe

  • Size

    1.1MB

  • MD5

    29e47258c517f5f33349caacef044645

  • SHA1

    42cfb37c1f47de8f1ef6f4dbd047c1a06922adc0

  • SHA256

    c6c47d3d7e56213f0d0ced379c64e166ed5a86308ea96856163a4e0155b1fc6e

  • SHA512

    edf41423deef4dfc38d634d89e9d39c65887f168deac577c075aa4cc92bc413c611ed3d5083398d35614b425fb5c0f6ecf1b624787e8f7f16bec4d70e17a6c9f

Score
10/10
outsteelagilenetspywarestealer

Malware Config

Signatures

  • OutSteel

    OutSteel is a file uploader and document stealer written in AutoIT.

    stealeroutsteel
  • OutSteel batch script 1 IoCs

    Detects batch script dropped by OutSteel

  • Deletes itself 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6c47d3d7e56213f0d0ced379c64e166ed5a86308ea96856163a4e0155b1fc6e.exe
    "C:\Users\Admin\AppData\Local\Temp\c6c47d3d7e56213f0d0ced379c64e166ed5a86308ea96856163a4e0155b1fc6e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Users\Admin\AppData\Local\Temp\c6c47d3d7e56213f0d0ced379c64e166ed5a86308ea96856163a4e0155b1fc6e.exe
      "C:\Users\Admin\AppData\Local\Temp\c6c47d3d7e56213f0d0ced379c64e166ed5a86308ea96856163a4e0155b1fc6e.exe"
      2⤵
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
        3⤵
          PID:1924
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
          3⤵
            PID:1044
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
            3⤵
              PID:1192
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
              3⤵
                PID:1820
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
                3⤵
                  PID:1196
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
                  3⤵
                    PID:1476
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
                    3⤵
                      PID:2004
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
                      3⤵
                        PID:836
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
                        3⤵
                          PID:840
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
                          3⤵
                            PID:1988
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
                            3⤵
                              PID:1140
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
                              3⤵
                                PID:1016
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
                                3⤵
                                  PID:1460
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
                                  3⤵
                                    PID:436
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
                                    3⤵
                                      PID:304
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
                                      3⤵
                                        PID:1852
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
                                        3⤵
                                          PID:1928
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c start /min r.bat
                                          3⤵
                                            PID:1796
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /K r.bat
                                              4⤵
                                              • Deletes itself
                                              PID:1612
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /min /c del "C:\Users\Admin\AppData\Local\Temp\r.bat"
                                                5⤵
                                                  PID:1064
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  Taskkill /IM cmd.exe /F
                                                  5⤵
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2016

                                        Network

                                        MITRE ATT&CK Enterprise v6

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • memory/968-66-0x0000000000400000-0x00000000004E2000-memory.dmp

                                          Filesize

                                          904KB

                                          Download

                                        • memory/968-61-0x0000000000400000-0x00000000004E2000-memory.dmp

                                          Filesize

                                          904KB

                                          Download

                                        • memory/968-69-0x0000000000400000-0x00000000004E2000-memory.dmp

                                          Filesize

                                          904KB

                                          Download

                                        • memory/968-68-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/968-63-0x0000000000400000-0x00000000004E2000-memory.dmp

                                          Filesize

                                          904KB

                                          Download

                                        • memory/968-67-0x0000000000400000-0x00000000004E2000-memory.dmp

                                          Filesize

                                          904KB

                                          Download

                                        • memory/968-65-0x0000000000400000-0x00000000004E2000-memory.dmp

                                          Filesize

                                          904KB

                                          Download

                                        • memory/968-62-0x0000000000400000-0x00000000004E2000-memory.dmp

                                          Filesize

                                          904KB

                                          Download

                                        • memory/968-64-0x0000000000400000-0x00000000004E2000-memory.dmp

                                          Filesize

                                          904KB

                                          Download

                                        • memory/1152-59-0x00000000004E0000-0x00000000004F4000-memory.dmp

                                          Filesize

                                          80KB

                                          Download

                                        • memory/1152-56-0x0000000002390000-0x0000000002391000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/1152-54-0x0000000000C60000-0x0000000000D88000-memory.dmp

                                          Filesize

                                          1.2MB

                                          Download

                                        • memory/1152-60-0x0000000000680000-0x0000000000686000-memory.dmp

                                          Filesize

                                          24KB

                                          Download

                                        • memory/1152-58-0x0000000002391000-0x0000000002392000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/1152-57-0x00000000004B0000-0x00000000004D8000-memory.dmp

                                          Filesize

                                          160KB

                                          Download

                                        • memory/1152-55-0x00000000746AE000-0x00000000746AF000-memory.dmp

                                          Filesize

                                          4KB

                                          Download