Analysis Overview
SHA256
572e270efb5e0f5fba00ab1a6935193fcab9e88d443f4d542d71a602bb63593a
Threat Level: Known bad
The file bsco-4v4t4r.zip was found to be: Known bad.
Malicious Activity Summary
Stealerium family
Stealerium
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-26 19:28
Signatures
Stealerium family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-26 19:28
Reported
2023-05-26 19:31
Platform
win10v2004-20230220-en
Max time kernel
72s
Max time network
122s
Command Line
Signatures
Stealerium
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe
"C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAB48.tmp.bat
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 4804
C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
Network
| Country | Destination | Domain | Proto |
| US | 40.125.122.151:443 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| NL | 20.50.201.200:443 | tcp | |
| US | 8.8.8.8:53 | 59.239.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.146.190.20.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 117.18.237.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
memory/4804-133-0x00000000001A0000-0x0000000000332000-memory.dmp
memory/4804-134-0x0000000004CC0000-0x0000000004D26000-memory.dmp
memory/4804-135-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAB48.tmp.bat
| MD5 | 9a2e54fd7f50d9099fee4ec50295b049 |
| SHA1 | 9f4f2aecc2dec88ddf724bbc88f79c55f07403c6 |
| SHA256 | 6b3276fd0507d751fd980424ef66ff18737621a4983ac7341513b4c160ab277f |
| SHA512 | 975bf16805461cc8f5e7e3bfb5cc083ac20cca84c17ac750c87370fd0e9c7ea8455089f78b6a6fd1be8c95d4f72c9c52fd180e10ed2fe03dca623c0836b273af |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-26 19:28
Reported
2023-05-26 19:30
Platform
win7-20230220-en
Max time kernel
30s
Max time network
34s
Command Line
Signatures
Stealerium
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe
"C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp866F.tmp.bat
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 820
C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
Files
memory/820-54-0x0000000000C20000-0x0000000000DB2000-memory.dmp
memory/820-55-0x0000000004AB0000-0x0000000004AF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp866F.tmp.bat
| MD5 | 90dcdd150b66114840c4539dec10d954 |
| SHA1 | 07b020f5324ad737209964643355630a37c5e9d9 |
| SHA256 | e50506f3ac1d84ee33dda7f5ea8cc8e63c9321f6a954f08d03fd845d097dee59 |
| SHA512 | 74272952d721fdb33ee064191494c85636167dc15f38d2a6ed7f6a9e0da6e7f3ebbd22371c2c8b9e21aedaff61b99f1130a700a0e47b8b007704af977bbc423a |