stealc | 6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24

Analysis

max time kernel
124s
max time network
254s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
16-08-2023 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe
Size

4.0MB
MD5

5bd216a72dc52d0ae58d8efa14fe4f8f
SHA1

a8187e77a20ef41e8177d5e6e9340b024819a302
SHA256

6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24
SHA512

7f0c57a6ff51aa8e10a988e4067c96ce7e80a9ac948675ec800fd48250aecba9bcd92a247d9d2c4e5c7ff599d7620e702909da5c31dde618b320b2b2f68fd787
SSDEEP

49152:MBi9xBTr3/4JEvFQsThK+eaxEdga4OiZrq1DfP+rsNADtV6v+L0uSwiPSCmDS+5J:8i9lvtEz4OiZrq1DfPHNADtV6v+

Score

10^/10

stealc spyware stealer

Malware Config

Extracted

Family

stealc

http://80.92.206.215/889842668f48cc70.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe	Powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
524	InstallUtil.exe
524	InstallUtil.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5116 set thread context of 524	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	72

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
4892	Powershell.exe
4892	Powershell.exe
4892	Powershell.exe
5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe
5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe
524	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	Powershell.exe
Token: SeDebugPrivilege	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 4892	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	69
PID 5116 wrote to memory of 4892	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	69
PID 5116 wrote to memory of 4892	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	69
PID 5116 wrote to memory of 432	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	71
PID 5116 wrote to memory of 432	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	71
PID 5116 wrote to memory of 432	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	71
PID 5116 wrote to memory of 524	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	72
PID 5116 wrote to memory of 524	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	72
PID 5116 wrote to memory of 524	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	72
PID 5116 wrote to memory of 524	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	72
PID 5116 wrote to memory of 524	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	72
PID 5116 wrote to memory of 524	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	72
PID 5116 wrote to memory of 524	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	72
PID 5116 wrote to memory of 524	5116	6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe	72
PID 524 wrote to memory of 4208	524	InstallUtil.exe	73
PID 524 wrote to memory of 4208	524	InstallUtil.exe	73
PID 524 wrote to memory of 4208	524	InstallUtil.exe	73

C:\Users\Admin\AppData\Local\Temp\6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe
"C:\Users\Admin\AppData\Local\Temp\6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\6b061a3bed6d154f931d09b6c9c4cc05adea70431fe225406e28dc360724ca24.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe'
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECBGHCGCBK.exe"
    3⤵
    PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ECBGHCGCBK.exe

Filesize
9KB

MD5
e3d04985498e6ba394341cabd01e5fd2

SHA1
f04cdabb00fdfdef326709f45058695ca19eaf19

SHA256
123097271da3b6c782ba90e212f538a9da1ac9670b22a83a17a9ce4600f576bd

SHA512
2b8c86859e962153c036165c0ceca0fbb86c1514baf6a3c604716b740bd48b0d8b41ce24735198e72c456d96168b714aa59400e4e6ab5614c9193d6355de8c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hhlauaaw.5tc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/524-210-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/524-286-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/524-202-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/524-205-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/524-206-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/4892-130-0x0000000006890000-0x00000000068A0000-memory.dmp

Filesize
64KB

Download
memory/4892-135-0x00000000075C0000-0x00000000075E2000-memory.dmp

Filesize
136KB

Download
memory/4892-131-0x00000000068A0000-0x00000000068D6000-memory.dmp

Filesize
216KB

Download
memory/4892-169-0x00000000079E0000-0x00000000079FC000-memory.dmp

Filesize
112KB

Download
memory/4892-132-0x0000000006890000-0x00000000068A0000-memory.dmp

Filesize
64KB

Download
memory/4892-133-0x0000000006F10000-0x0000000007538000-memory.dmp

Filesize
6.2MB

Download
memory/4892-226-0x0000000009160000-0x00000000091F4000-memory.dmp

Filesize
592KB

Download
memory/4892-129-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/4892-136-0x0000000007660000-0x00000000076C6000-memory.dmp

Filesize
408KB

Download
memory/4892-138-0x00000000076D0000-0x0000000007736000-memory.dmp

Filesize
408KB

Download
memory/4892-228-0x0000000008E60000-0x0000000008E7A000-memory.dmp

Filesize
104KB

Download
memory/4892-230-0x00000000090C0000-0x00000000090E2000-memory.dmp

Filesize
136KB

Download
memory/4892-244-0x0000000006890000-0x00000000068A0000-memory.dmp

Filesize
64KB

Download
memory/4892-251-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/4892-185-0x00000000080A0000-0x0000000008116000-memory.dmp

Filesize
472KB

Download
memory/4892-171-0x0000000008250000-0x000000000829B000-memory.dmp

Filesize
300KB

Download
memory/5116-163-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-145-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-153-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-155-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-157-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-159-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-161-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-117-0x0000000000AD0000-0x0000000000ED2000-memory.dmp

Filesize
4.0MB

Download
memory/5116-165-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-167-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-149-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-170-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-173-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-147-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-175-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-177-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-179-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-181-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-183-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-151-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-186-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-188-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-190-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-191-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

Filesize
4KB

Download
memory/5116-143-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-141-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-137-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-139-0x0000000005DA0000-0x0000000005DC3000-memory.dmp

Filesize
140KB

Download
memory/5116-207-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/5116-134-0x0000000005DA0000-0x0000000005DCA000-memory.dmp

Filesize
168KB

Download
memory/5116-126-0x0000000006300000-0x000000000639C000-memory.dmp

Filesize
624KB

Download
memory/5116-125-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/5116-124-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/5116-123-0x0000000005D10000-0x0000000005D22000-memory.dmp

Filesize
72KB

Download
memory/5116-122-0x00000000059A0000-0x0000000005CF0000-memory.dmp

Filesize
3.3MB

Download
memory/5116-121-0x0000000005800000-0x0000000005868000-memory.dmp

Filesize
416KB

Download
memory/5116-120-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/5116-119-0x0000000005E00000-0x00000000062FE000-memory.dmp

Filesize
5.0MB

Download
memory/5116-118-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download