Malware Analysis Report

2024-10-23 19:20

Sample ID 230526-x6xrsagg95
Target bsco-4v4t4r.zip
SHA256 572e270efb5e0f5fba00ab1a6935193fcab9e88d443f4d542d71a602bb63593a
Tags
stealerium stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

572e270efb5e0f5fba00ab1a6935193fcab9e88d443f4d542d71a602bb63593a

Threat Level: Known bad

The file bsco-4v4t4r.zip was found to be: Known bad.

Malicious Activity Summary

stealerium stealer

Stealerium family

Stealerium

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-26 19:28

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-26 19:28

Reported

2023-05-26 19:31

Platform

win10v2004-20230220-en

Max time kernel

72s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe"

Signatures

Stealerium

stealer stealerium

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe

"C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAB48.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 4804

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 40.125.122.151:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 20.50.201.200:443 tcp
US 8.8.8.8:53 59.239.32.23.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 33.146.190.20.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 117.18.237.29:80 tcp
US 93.184.221.240:80 tcp

Files

memory/4804-133-0x00000000001A0000-0x0000000000332000-memory.dmp

memory/4804-134-0x0000000004CC0000-0x0000000004D26000-memory.dmp

memory/4804-135-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAB48.tmp.bat

MD5 9a2e54fd7f50d9099fee4ec50295b049
SHA1 9f4f2aecc2dec88ddf724bbc88f79c55f07403c6
SHA256 6b3276fd0507d751fd980424ef66ff18737621a4983ac7341513b4c160ab277f
SHA512 975bf16805461cc8f5e7e3bfb5cc083ac20cca84c17ac750c87370fd0e9c7ea8455089f78b6a6fd1be8c95d4f72c9c52fd180e10ed2fe03dca623c0836b273af

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-26 19:28

Reported

2023-05-26 19:30

Platform

win7-20230220-en

Max time kernel

30s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe"

Signatures

Stealerium

stealer stealerium

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 820 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 928 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 928 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 928 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 928 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 928 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 928 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 928 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 928 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 928 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 928 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 928 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe

"C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp866F.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 820

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp

Files

memory/820-54-0x0000000000C20000-0x0000000000DB2000-memory.dmp

memory/820-55-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp866F.tmp.bat

MD5 90dcdd150b66114840c4539dec10d954
SHA1 07b020f5324ad737209964643355630a37c5e9d9
SHA256 e50506f3ac1d84ee33dda7f5ea8cc8e63c9321f6a954f08d03fd845d097dee59
SHA512 74272952d721fdb33ee064191494c85636167dc15f38d2a6ed7f6a9e0da6e7f3ebbd22371c2c8b9e21aedaff61b99f1130a700a0e47b8b007704af977bbc423a