Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2023 11:47

General

  • Target

    build.exe

  • Size

    1.6MB

  • MD5

    859bc46c49e73a343435f0bc6bc34316

  • SHA1

    2958bda05d4286139fd5d4dc8214ca1beed52ee5

  • SHA256

    659104df997bdd55eab8acd0e70d6333935a07855c0e2af9fa1a620d5c903af3

  • SHA512

    99bc8b0b80c3cb48d8061419bb628040d11165bc5814ef26c005083f54bc617eb3744849bcbf604bba9c37539f8de5c3a2cfa49dded218808eee6a6302fdeda0

  • SSDEEP

    24576:Hi2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLJ:CTq24GjdGSiqkqXfd+/9AqYanieKd

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1119171816687149056/0B8BKIQfBKmrRYNQcdcs6n7YHcS4MB5yYXNnj3GBhRUYpBVvxdhVLNoP-_EpEyJ8sjKp

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1996
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:732
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:1612
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:1656
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:1204
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:960
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:1640
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:276
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:916

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              7d8d9697fa8faf469d3a55ef08c22522

              SHA1

              a612c874dbb8221026d6cab139925928466c6853

              SHA256

              2cc104bea778cc593682fbf0ce5ed7bf8fa33344b77aec08de972861504dc76e

              SHA512

              4a40ce36c33bba2a97db728c9895604f69ef42575853c40b86dad7cfdefcfafef26f06dea4ceae0ffb0f51ef48401d6994f215151d2c2d7031569bdae0632a2c

            • C:\Users\Admin\AppData\Local\2c28f4cbd63c447f734240747b2a6156\Admin@THEQWNRW_en-US\Browsers\Firefox\Bookmarks.txt

              Filesize

              105B

              MD5

              2e9d094dda5cdc3ce6519f75943a4ff4

              SHA1

              5d989b4ac8b699781681fe75ed9ef98191a5096c

              SHA256

              c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

              SHA512

              d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

            • C:\Users\Admin\AppData\Local\2c28f4cbd63c447f734240747b2a6156\Admin@THEQWNRW_en-US\Directories\Startup.txt

              Filesize

              24B

              MD5

              68c93da4981d591704cea7b71cebfb97

              SHA1

              fd0f8d97463cd33892cc828b4ad04e03fc014fa6

              SHA256

              889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

              SHA512

              63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

            • C:\Users\Admin\AppData\Local\2c28f4cbd63c447f734240747b2a6156\Admin@THEQWNRW_en-US\Directories\Videos.txt

              Filesize

              23B

              MD5

              1fddbf1169b6c75898b86e7e24bc7c1f

              SHA1

              d2091060cb5191ff70eb99c0088c182e80c20f8c

              SHA256

              a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

              SHA512

              20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

            • C:\Users\Admin\AppData\Local\2c28f4cbd63c447f734240747b2a6156\Admin@THEQWNRW_en-US\System\Apps.txt

              Filesize

              4KB

              MD5

              306c7f85413b3604f6b752e9a32bb8ec

              SHA1

              58d375c0ab4fc8937059996e91f7ff855bbf865a

              SHA256

              d6429fef8f1d5724add291f3ea2b35eb4e907d10846f0501212d032818936e46

              SHA512

              3a8afab98949758ad3a30e079b7f59b90a7896e7bbbdfa03ddef9eb43d9a89c4d2e6698d82df3c9fe959de633e1b147c0c1f9c8fb147df2ecaa093109fc430ff

            • C:\Users\Admin\AppData\Local\2c28f4cbd63c447f734240747b2a6156\Admin@THEQWNRW_en-US\System\Debug.txt

              Filesize

              1KB

              MD5

              90976e9a2124fb060b1439c49c8ca09d

              SHA1

              22c7336f96a8e753d0ae7ca7259ed5d631f33059

              SHA256

              cd9e47aec1f48edfdd093341f71d842e6b1258d3d286f960562e2b02e8185e7f

              SHA512

              ca3a93cf1a7a01e157f83f28c39066983fd509a256b0e648e84245382849ea4c1f76b1114d4dc08e8de342520574721abb6b570b3f86c57e04292277b927a024

            • C:\Users\Admin\AppData\Local\2c28f4cbd63c447f734240747b2a6156\Admin@THEQWNRW_en-US\System\ProductKey.txt

              Filesize

              29B

              MD5

              cad6c6bee6c11c88f5e2f69f0be6deb7

              SHA1

              289d74c3bebe6cca4e1d2e084482ad6d21316c84

              SHA256

              dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

              SHA512

              e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

            • C:\Users\Admin\AppData\Local\2c28f4cbd63c447f734240747b2a6156\msgid.dat

              Filesize

              19B

              MD5

              f7a3b45f432929fcedb11d4b7c8ff5cd

              SHA1

              aa16387fd1f0f2219611f386126d25b74841ac4c

              SHA256

              34d0f4b20b95a9442168894011d9a439f6ce0efe01ea1c1544757481938a361a

              SHA512

              3d006593efc9bab73aa5658e24c91783eba0b1f7925c759e4c14b34096602e0615c02e80e23807786fea0653ca46e2bfa3fca67abbb6a1b53a9abf0ff66fd4ff

            • C:\Users\Admin\AppData\Local\Temp\Cab64D6.tmp

              Filesize

              62KB

              MD5

              3ac860860707baaf32469fa7cc7c0192

              SHA1

              c33c2acdaba0e6fa41fd2f00f186804722477639

              SHA256

              d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

              SHA512

              d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

            • C:\Users\Admin\AppData\Local\Temp\Tar65A4.tmp

              Filesize

              164KB

              MD5

              4ff65ad929cd9a367680e0e5b1c08166

              SHA1

              c0af0d4396bd1f15c45f39d3b849ba444233b3a2

              SHA256

              c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

              SHA512

              f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

            • memory/1996-177-0x0000000005EC0000-0x0000000005F3A000-memory.dmp

              Filesize

              488KB

            • memory/1996-130-0x00000000049F0000-0x0000000004A30000-memory.dmp

              Filesize

              256KB

            • memory/1996-54-0x00000000000F0000-0x0000000000282000-memory.dmp

              Filesize

              1.6MB

            • memory/1996-241-0x0000000006DE0000-0x0000000006E92000-memory.dmp

              Filesize

              712KB

            • memory/1996-55-0x00000000049F0000-0x0000000004A30000-memory.dmp

              Filesize

              256KB

            • memory/1996-304-0x0000000005E20000-0x0000000005EB2000-memory.dmp

              Filesize

              584KB

            • memory/1996-324-0x00000000049F0000-0x0000000004A30000-memory.dmp

              Filesize

              256KB