stealc | 3d54f10e6726b1828ac0252c4bd80e0c4777bba4b34486c217bf2e629b8e67a8

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
14-08-2023 13:34

Target

97ec989085e99d2df0426b73620812b0.exe
Size

1.5MB
MD5

97ec989085e99d2df0426b73620812b0
SHA1

3e0f2934165679dd59094e75915a222d5788f381
SHA256

3d54f10e6726b1828ac0252c4bd80e0c4777bba4b34486c217bf2e629b8e67a8
SHA512

8ef9f76d00b8cefa56806420d2602b667c700b253c6f61f954935865d1c921fffb002911ce3c4da57d9038e9fc87bcd5e0ef46ea6f2454114b8cd92939cd30a5
SSDEEP

12288:wL1Gr7+TspeaV64tA0sMdrl3xWzWF+ZuIXW3GAuk2RxRSzG:Vr7+TspeaV64yIlB472CZRxa

Score

10^/10

stealc stealer

Family

stealc

http://94.131.107.238/3aa13fff14e398a1.php

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 860	2572	97ec989085e99d2df0426b73620812b0.exe	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
860	InstallUtil.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 860	2572	97ec989085e99d2df0426b73620812b0.exe	29
PID 2572 wrote to memory of 860	2572	97ec989085e99d2df0426b73620812b0.exe	29
PID 2572 wrote to memory of 860	2572	97ec989085e99d2df0426b73620812b0.exe	29
PID 2572 wrote to memory of 860	2572	97ec989085e99d2df0426b73620812b0.exe	29
PID 2572 wrote to memory of 860	2572	97ec989085e99d2df0426b73620812b0.exe	29
PID 2572 wrote to memory of 860	2572	97ec989085e99d2df0426b73620812b0.exe	29
PID 2572 wrote to memory of 860	2572	97ec989085e99d2df0426b73620812b0.exe	29
PID 2572 wrote to memory of 860	2572	97ec989085e99d2df0426b73620812b0.exe	29
PID 2572 wrote to memory of 860	2572	97ec989085e99d2df0426b73620812b0.exe	29
PID 2572 wrote to memory of 860	2572	97ec989085e99d2df0426b73620812b0.exe	29
PID 2572 wrote to memory of 860	2572	97ec989085e99d2df0426b73620812b0.exe	29
PID 2572 wrote to memory of 860	2572	97ec989085e99d2df0426b73620812b0.exe	29
PID 2572 wrote to memory of 860	2572	97ec989085e99d2df0426b73620812b0.exe	29

C:\Users\Admin\AppData\Local\Temp\97ec989085e99d2df0426b73620812b0.exe
"C:\Users\Admin\AppData\Local\Temp\97ec989085e99d2df0426b73620812b0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:860

memory/860-55-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/860-58-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/860-59-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/860-60-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/2572-54-0x00000000013A0000-0x000000000157A000-memory.dmp

Filesize
1.9MB

Download
memory/2572-57-0x00000000013A0000-0x000000000157A000-memory.dmp

Filesize
1.9MB

Download