Malware Analysis Report

2024-10-23 19:20

Sample ID 230531-w6xlcahf31
Target stub.exe
SHA256 8a37cfdf9c3d4beca639ead3b11688360333a550aedb60d4dbff82140b9b417e
Tags
stealerium stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a37cfdf9c3d4beca639ead3b11688360333a550aedb60d4dbff82140b9b417e

Threat Level: Known bad

The file stub.exe was found to be: Known bad.

Malicious Activity Summary

stealerium stealer

Stealerium

Stealerium family

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-31 18:32

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:35

Platform

win7-20230220-en

Max time kernel

29s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Signatures

Stealerium

stealer stealerium

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 560 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 560 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 560 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 560 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 560 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 560 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 560 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3FCF.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 2016

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

N/A

Files

memory/2016-54-0x0000000000AF0000-0x0000000000C82000-memory.dmp

memory/2016-55-0x0000000004A30000-0x0000000004A70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3FCF.tmp.bat

MD5 42e52bfaa667927b4b613a222f3a6f4c
SHA1 b699abc4ef08a6dfaf5ea210762057e1ecee0aa5
SHA256 ce07a3388114fc1f709a8fdf5b196d62771a3a79b2aafc9cf1aeedd9d32d7969
SHA512 af20cdc34fe0795d09ebd35816e3b294b37c9fc1a74800aa8347da33625e39d49556d59eff426d1de0753279d7f0a782492e072157cbf1d358fc4b653737d2bb

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:35

Platform

win10v2004-20230220-en

Max time kernel

145s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Signatures

Stealerium

stealer stealerium

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\stub.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCE80.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 1788

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 52.242.101.226:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
NL 8.238.179.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 52.242.101.226:443 tcp
US 13.107.42.16:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

memory/1788-133-0x0000000000380000-0x0000000000512000-memory.dmp

memory/1788-134-0x0000000004ED0000-0x0000000004F36000-memory.dmp

memory/1788-135-0x0000000004E50000-0x0000000004E60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCE80.tmp.bat

MD5 89ee111f1c68257274ce6d32fc411dc4
SHA1 2bd2825dc2a7dd3635bdad31df5da31a001b22dd
SHA256 1c0b9a3dfd0b4c2a18e50e11591cbf2bfcdf5ad80045fc44b5089b6cce8f3c7a
SHA512 e77838db0447abe2ff8c3e255281e0685b35128376fb553c349e1b36cbfc44494a5f99727bc4910c6ec7b7960f9a7f041c0d29c1badd869ba9633b1f092915ca