stealc | f1bff435d395515d6905b6e379eaefd63e38bb50c327b82c48e3d382039ae0db

Analysis

max time kernel
119s
max time network
131s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16-08-2023 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

book_532859.exe
Size

788.6MB
MD5

d6010f308bedbabe0f2d033de525d4ae
SHA1

4667dbb6f726cc4858f3492874b7d0d07ac8aebc
SHA256

a1cb435f433bbb16c1de7ce6e7de789d816244ca54680d36fbedfbfd4e4f5220
SHA512

44505cd94d49ae5271c7a882f87a66f8bef7fd3bcc910470ff93e3ce3c692165e9f15e8f5c6149fddfa43ef7cad1babff8c20f3fb2db1e848b17bc93799bb015
SSDEEP

24576:6I51wSSi3PrbK7h8TaeWru3GBLeNKp8zP+++++++iN0333T1Sizr:6I51Km6deWrucvyz+++++++iq333To8

Score

10^/10

stealc spyware stealer

Malware Config

Extracted

Family

stealc

http://65.108.211.9/a7b9969886761113.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Loads dropped DLL 2 IoCs

pid	Process
2668	InstallUtil.exe
2668	InstallUtil.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1356 set thread context of 2668	1356	book_532859.exe	30

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3060	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2668	InstallUtil.exe
2668	InstallUtil.exe
2668	InstallUtil.exe
2668	InstallUtil.exe
2668	InstallUtil.exe
2668	InstallUtil.exe
2668	InstallUtil.exe
2668	InstallUtil.exe
2668	InstallUtil.exe
2668	InstallUtil.exe
2668	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	book_532859.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE
3060	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2668	1356	book_532859.exe	30
PID 1356 wrote to memory of 2668	1356	book_532859.exe	30
PID 1356 wrote to memory of 2668	1356	book_532859.exe	30
PID 1356 wrote to memory of 2668	1356	book_532859.exe	30
PID 1356 wrote to memory of 2668	1356	book_532859.exe	30
PID 1356 wrote to memory of 2668	1356	book_532859.exe	30
PID 1356 wrote to memory of 2668	1356	book_532859.exe	30
PID 1356 wrote to memory of 2668	1356	book_532859.exe	30
PID 1356 wrote to memory of 2668	1356	book_532859.exe	30
PID 1356 wrote to memory of 2668	1356	book_532859.exe	30
PID 1356 wrote to memory of 2668	1356	book_532859.exe	30
PID 1356 wrote to memory of 2668	1356	book_532859.exe	30

C:\Users\Admin\AppData\Local\Temp\book_532859.exe
"C:\Users\Admin\AppData\Local\Temp\book_532859.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\WriteUnblock.doc"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc

Filesize
789KB

MD5
7ec07efd640f0f10d4200eab8ee0cec5

SHA1
f260f3a9404ebf2dd4fe38988bb89859f80d4be6

SHA256
292d59a15d57a11714f8e204921d5dac544c9d17a2e024c14a76bc13e60ff3b9

SHA512
95a3756ff52fab17b8ab886c7a0eacbe17963342dd4620a103d437af364f494640e3efb4bf2bedd72983f2bbe3654b1a176d94beb38c9f0dd53a10df3044df9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
6d0e577ab1d78f270c69a86a64e75d19

SHA1
d27ab3f427582e6f66e6700a89237ea32f43709c

SHA256
3f0b426e2378cb26b66c9147f85fc53621158ecd58a68100738c5be56386f1de

SHA512
c62b85033ac2724ab7478789e9e321da201500345a289a28d9f5d15a5b84d70d5179cd02789b80e0e90985b3e939440aab2657f1ec3cd78d8e330b61943d4a78

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/1356-98-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-62-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-102-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-61-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-104-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-64-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-66-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-68-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-70-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-72-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-74-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-76-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-78-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-80-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-82-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-106-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-86-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-88-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-90-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-92-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-94-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-96-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-54-0x0000000001180000-0x000000000132A000-memory.dmp

Filesize
1.7MB

Download
memory/1356-100-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-60-0x00000000009E0000-0x0000000000A0A000-memory.dmp

Filesize
168KB

Download
memory/1356-59-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1356-84-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-108-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-110-0x00000000009E0000-0x0000000000A03000-memory.dmp

Filesize
140KB

Download
memory/1356-111-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1356-55-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1356-56-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

Filesize
256KB

Download
memory/1356-57-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/1356-58-0x0000000001120000-0x0000000001186000-memory.dmp

Filesize
408KB

Download
memory/1356-122-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-118-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/2668-114-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/2668-123-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/2668-184-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/2668-125-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2668-120-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/2668-119-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2668-124-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/2668-116-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/2668-112-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/3060-185-0x000000002FC90000-0x000000002FDED000-memory.dmp

Filesize
1.4MB

Download
memory/3060-204-0x000000007161D000-0x0000000071628000-memory.dmp

Filesize
44KB

Download
memory/3060-203-0x000000002FC90000-0x000000002FDED000-memory.dmp

Filesize
1.4MB

Download
memory/3060-187-0x000000007161D000-0x0000000071628000-memory.dmp

Filesize
44KB

Download
memory/3060-234-0x000000007161D000-0x0000000071628000-memory.dmp

Filesize
44KB

Download