stealc | 278e28b13293671dbc74ea12561ba629d3ea8adaa5705b19c79a1dac5ace51cc | Triage

Analysis

max time kernel
152s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 16:14

Sharing

Report Analysis Logs

General

Target

1880-1005-0x0000000000400000-0x0000000000629000-memory.exe
Size

2.2MB
MD5

e5239caf31e887c49961debc13890a3f
SHA1

a7d01cabcdf1bd11b002b63efc4350f05f74f9d2
SHA256

278e28b13293671dbc74ea12561ba629d3ea8adaa5705b19c79a1dac5ace51cc
SHA512

04510dc086b6c748571cfe75f5e31fb0d5bf7563425f07e24c295b818813d0729d897d6fd6ba1d924cabb359862ef9ea25bc0afcbc7ee9676918df4274a6de9b
SSDEEP

12288:q86BuD3/yZ/vfU56TfXDL97zjad7OM4bZE+b:qZ

Score

10^/10

stealc stealer

Malware Config

Signatures

Detects Stealc stealer 1 IoCs

resource	yara_rule
behavioral2/memory/2840-133-0x0000000000400000-0x0000000000629000-memory.dmp	family_stealc

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F517CDC1-824D-4E29-8C6C-F869C22E2A37}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E5056DB7-BA74-4793-B2DC-3A11BC92E8DB}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{697CD11B-618D-4CE0-B0E1-1A8A995BA6A1}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E9BFFF8B-596B-422B-A07E-E9185A08C9CD}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{209CB5AF-5C4F-4C3C-B22F-3094EDFFD777}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9CD6AEBC-A2C3-4C77-B31A-E4672340F485}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3803396F-6871-40C6-9D88-1A2DCE286FB1}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D247DC8D-1EC2-4AAC-90DF-3007C6B97CF0}.catalogItem	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4680	2840	WerFault.exe	80

C:\Users\Admin\AppData\Local\Temp\1880-1005-0x0000000000400000-0x0000000000629000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\1880-1005-0x0000000000400000-0x0000000000629000-memory.exe"
1⤵
PID:2840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 216
  2⤵
  - Program crash
  PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2840 -ip 2840
1⤵
PID:4576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:2936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2840-133-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download