Analysis Overview
SHA256
0fe68b8689e8d8439ae48b39dc96d6ab178e2a68c83a5cdfe577eb9d3b9537d2
Threat Level: Known bad
The file NEAS.stub.exe was found to be: Known bad.
Malicious Activity Summary
Stealerium
Stealerium family
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Kills process with taskkill
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-17 16:39
Signatures
Stealerium family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-17 16:39
Reported
2023-11-17 16:42
Platform
win7-20231020-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Stealerium
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp83B9.tmp.bat
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 1968
C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
Files
memory/1968-0-0x00000000001D0000-0x0000000000366000-memory.dmp
memory/1968-1-0x0000000074C40000-0x000000007532E000-memory.dmp
memory/1968-2-0x0000000004450000-0x0000000004490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab8039.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar807B.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\Local\Temp\tmp83B9.tmp.bat
| MD5 | 2c433d9737acd355653bb4abd50850f1 |
| SHA1 | ffc55753ee0aa87b3420e53c40646449a83eeef6 |
| SHA256 | fa159f4c4fd61df942f4b566613ea9d3b1389ff7aca86865d172e9929a5fff7a |
| SHA512 | 15ecffc96bdb39ef3b57006555b2f8cf1e32e5cd250cf385f4f30bd5cbe74a91469cd79e5a9483a8926b6e02a5ea24f2a2b169012ab48893cda439f32553d9c3 |
memory/1968-43-0x0000000074C40000-0x000000007532E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-17 16:39
Reported
2023-11-17 16:42
Platform
win10v2004-20231025-en
Max time kernel
138s
Max time network
174s
Command Line
Signatures
Stealerium
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp93FE.tmp.bat
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 1192
C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
memory/1192-1-0x00000000749A0000-0x0000000075150000-memory.dmp
memory/1192-0-0x00000000002F0000-0x0000000000486000-memory.dmp
memory/1192-2-0x0000000004E60000-0x0000000004EC6000-memory.dmp
memory/1192-3-0x0000000004E50000-0x0000000004E60000-memory.dmp
memory/1192-6-0x00000000749A0000-0x0000000075150000-memory.dmp
memory/1192-10-0x0000000004E50000-0x0000000004E60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp93FE.tmp.bat
| MD5 | 38e5bb452f6602ce759e729585a72431 |
| SHA1 | 88c484eee41f1f60e8b61b2bc6f30181e927fa29 |
| SHA256 | 55cebc312686d4eacf57ab82c4fba19a7e6a54039a066786bf60d165d848b617 |
| SHA512 | fe97c8f94d8d440743bdef4a75e14a75a75c794a3e9d87693ccc821fa26c8c195d00bb9b2aebdfbbf63fb7a10bd7145a40a75a234fe382fef2358f62a58a4edb |
memory/1192-12-0x00000000749A0000-0x0000000075150000-memory.dmp