outsteel | 9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e

Analysis

max time kernel
91s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
28-02-2022 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
Size

737KB
MD5

22840909e11530390e8f74c6a162ded1
SHA1

78d82f0ff396393e958553f25a47145916ea4e39
SHA256

9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e
SHA512

2a2214dc48b6942b19e439db189a9b2e7df6d91c26b24692fe370d552c70e828cb6d4ac344dc2fe36e08b0752e4ae8886f4d1f3f45970a65eaebae2d3069c130

Score

10^/10

outsteel spyware stealer

Malware Config

Signatures

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel

OutSteel batch script 1 IoCs

Detects batch script dropped by OutSteel

resource	yara_rule
behavioral2/files/0x000400000001e78b-134.dat	outsteel_batch_script

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4008 created 3768	4008	WerFault.exe	78

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\i:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\l:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\v:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\r:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\t:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\x:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\z:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\a:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\f:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\n:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\q:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\k:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\m:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\w:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\o:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\p:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\s:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\u:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\b:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\e:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\g:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\j:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
File opened (read-only)	\??\y:	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3768-132-0x0000000001C80000-0x0000000001D5D000-memory.dmp	autoit_exe
behavioral2/memory/3768-133-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3176	3768	WerFault.exe	78

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3744	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3176	WerFault.exe
3176	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3176	WerFault.exe
Token: SeBackupPrivilege	3176	WerFault.exe
Token: SeDebugPrivilege	3744	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 3700	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	79
PID 3768 wrote to memory of 3700	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	79
PID 3768 wrote to memory of 3700	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	79
PID 3768 wrote to memory of 4480	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	81
PID 3768 wrote to memory of 4480	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	81
PID 3768 wrote to memory of 4480	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	81
PID 3768 wrote to memory of 728	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	85
PID 3768 wrote to memory of 728	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	85
PID 3768 wrote to memory of 728	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	85
PID 3768 wrote to memory of 1332	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	87
PID 3768 wrote to memory of 1332	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	87
PID 3768 wrote to memory of 1332	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	87
PID 3768 wrote to memory of 2292	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	90
PID 3768 wrote to memory of 2292	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	90
PID 3768 wrote to memory of 2292	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	90
PID 3768 wrote to memory of 1508	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	93
PID 3768 wrote to memory of 1508	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	93
PID 3768 wrote to memory of 1508	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	93
PID 3768 wrote to memory of 4692	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	95
PID 3768 wrote to memory of 4692	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	95
PID 3768 wrote to memory of 4692	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	95
PID 3768 wrote to memory of 1316	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	97
PID 3768 wrote to memory of 1316	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	97
PID 3768 wrote to memory of 1316	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	97
PID 3768 wrote to memory of 4852	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	99
PID 3768 wrote to memory of 4852	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	99
PID 3768 wrote to memory of 4852	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	99
PID 3768 wrote to memory of 1604	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	101
PID 3768 wrote to memory of 1604	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	101
PID 3768 wrote to memory of 1604	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	101
PID 3768 wrote to memory of 4580	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	103
PID 3768 wrote to memory of 4580	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	103
PID 3768 wrote to memory of 4580	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	103
PID 3768 wrote to memory of 368	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	105
PID 3768 wrote to memory of 368	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	105
PID 3768 wrote to memory of 368	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	105
PID 3768 wrote to memory of 2988	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	108
PID 3768 wrote to memory of 2988	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	108
PID 3768 wrote to memory of 2988	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	108
PID 3768 wrote to memory of 3332	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	110
PID 3768 wrote to memory of 3332	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	110
PID 3768 wrote to memory of 3332	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	110
PID 3768 wrote to memory of 3432	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	112
PID 3768 wrote to memory of 3432	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	112
PID 3768 wrote to memory of 3432	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	112
PID 3768 wrote to memory of 204	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	114
PID 3768 wrote to memory of 204	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	114
PID 3768 wrote to memory of 204	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	114
PID 3768 wrote to memory of 4388	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	116
PID 3768 wrote to memory of 4388	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	116
PID 3768 wrote to memory of 4388	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	116
PID 3768 wrote to memory of 4328	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	119
PID 3768 wrote to memory of 4328	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	119
PID 3768 wrote to memory of 4328	3768	9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe	119
PID 4328 wrote to memory of 4112	4328	cmd.exe	124
PID 4328 wrote to memory of 4112	4328	cmd.exe	124
PID 4328 wrote to memory of 4112	4328	cmd.exe	124
PID 4008 wrote to memory of 3768	4008	WerFault.exe	78
PID 4008 wrote to memory of 3768	4008	WerFault.exe	78
PID 4112 wrote to memory of 2860	4112	cmd.exe	127
PID 4112 wrote to memory of 2860	4112	cmd.exe	127
PID 4112 wrote to memory of 2860	4112	cmd.exe	127
PID 4112 wrote to memory of 3744	4112	cmd.exe	128
PID 4112 wrote to memory of 3744	4112	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
"C:\Users\Admin\AppData\Local\Temp\9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
  2⤵
  PID:3700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
  2⤵
  PID:4480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
  2⤵
  PID:728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:1332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
  2⤵
  PID:2292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
  2⤵
  PID:1508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
  2⤵
  PID:4692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:1316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
  2⤵
  PID:4852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
  2⤵
  PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
  2⤵
  PID:4580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
  2⤵
  PID:368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
  2⤵
  PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
  2⤵
  PID:3332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
  2⤵
  PID:3432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
  2⤵
  PID:204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
  2⤵
  PID:4388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start /min r.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K r.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /min /c del "C:\Users\Admin\AppData\Local\Temp\r.bat"
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      Taskkill /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 620
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3768 -ip 3768
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3768-130-0x0000000001A4A000-0x0000000001AC5000-memory.dmp

Filesize
492KB

Download
memory/3768-131-0x0000000001A4A000-0x0000000001AC5000-memory.dmp

Filesize
492KB

Download
memory/3768-132-0x0000000001C80000-0x0000000001D5D000-memory.dmp

Filesize
884KB

Download
memory/3768-133-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download