stealc | 920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791

Analysis

max time kernel
292s
max time network
182s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
10/12/2023, 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
Size

2.3MB
MD5

9277e82030f3f80d2acb91ca8a2e21bb
SHA1

ea7e13d61fec22537017c241236a418bac2030e1
SHA256

920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791
SHA512

6333271a3e1ee84d0d0038c189c326832dabb4f1a4d1e3f8b63b367ff3ee3409d5b386da47ac40a3e6606a0ed69d1d06dccbc32308dc13da243e79e9d360b701
SSDEEP

49152:7L2s5FXQ4EmojLjCRELVf7Avil+dHIsLp1thIikN+6u2hs8:7pzX71oDCRAZUviAHImDqia7hs8

Score

10^/10

stealc discovery spyware stealer

Malware Config

Extracted

Family

stealc

http://77.91.76.36

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1736	Broom.exe
2756	nso5535.tmp.exe

Loads dropped DLL 9 IoCs

pid	Process
1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
2756	nso5535.tmp.exe
2756	nso5535.tmp.exe
1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nso5535.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nso5535.tmp.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2500	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2756	nso5535.tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1736	Broom.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1736	1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe	28
PID 1976 wrote to memory of 1736	1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe	28
PID 1976 wrote to memory of 1736	1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe	28
PID 1976 wrote to memory of 1736	1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe	28
PID 1976 wrote to memory of 2756	1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe	30
PID 1976 wrote to memory of 2756	1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe	30
PID 1976 wrote to memory of 2756	1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe	30
PID 1976 wrote to memory of 2756	1976	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe	30
PID 2756 wrote to memory of 300	2756	nso5535.tmp.exe	32
PID 2756 wrote to memory of 300	2756	nso5535.tmp.exe	32
PID 2756 wrote to memory of 300	2756	nso5535.tmp.exe	32
PID 2756 wrote to memory of 300	2756	nso5535.tmp.exe	32
PID 300 wrote to memory of 2500	300	cmd.exe	33
PID 300 wrote to memory of 2500	300	cmd.exe	33
PID 300 wrote to memory of 2500	300	cmd.exe	33
PID 300 wrote to memory of 2500	300	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
"C:\Users\Admin\AppData\Local\Temp\920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\Broom.exe
  C:\Users\Admin\AppData\Local\Temp\Broom.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\nso5535.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\nso5535.tmp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nso5535.tmp.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:300
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
902KB

MD5
06ff973fdd741f8df5119e7dc052d2c2

SHA1
cdc74a92d27b79344c879b92fffcbd60dccaf7fa

SHA256
d2e1da7061386c5020156724bb3b22e663074ca7403baa8848b6a3cb8d28f192

SHA512
41883589cc191d08632b0ebc59fc185ce42cda57b9754d2c1b0f374b217d19d7e497b7ec028b3b8fe9c70484371917d2be002e817c54d6418ed967c724eca3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5535.tmp.exe

Filesize
23KB

MD5
50b6acb2396974449acaea1fdbffc8af

SHA1
577d979b80a543c653e56474ab0773033496276b

SHA256
303b0005db772957b2cf61a538445172bf67605343de73684f9215e1610d7ef4

SHA512
04f341d2d011c1e90176ab1f0abc45833d242a77a86c21e2ac38bcdc276377555659f35ceb92d0f6f0ee18ee255b124f5a9f7c793040d489909b2d682a007a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5535.tmp.exe

Filesize
42KB

MD5
911d8dcbd9c1f51dde00a09c0fc21135

SHA1
12dc0d556133d90d92f40615ae13d312cf754198

SHA256
5096319e8c55546b56da01434546d09793eab7f633bbbf7a7db51a034b1e5c58

SHA512
63a9e4bab412e1a2c5329745c2f1e7aa9d79be31217cd9087777937f922a5d7b52015cc82439f69cfaff0535d8917162cb95f6e779e808ae0e7d2162b8206648

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5535.tmp.exe

Filesize
157KB

MD5
883f50d8a42d9f8cca4491c162137401

SHA1
9060e61342c391439d61fc21ab195848eeb7e637

SHA256
8982c28a9fb4e53ee50e8080cf2c89d720722b2e8a7eb8cc6a1db841c5c77402

SHA512
6eb1c580718108527c78ba07da635b15700cc9f239345f54ca381038a58e8189f60c7fc83bd67461df98732bbb22543cace3ede12b1bffa29a0183cfcbcec09f

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
972KB

MD5
f318d08379c868b51fc3e20770d92c63

SHA1
8a8a7950a6b01e7f55e3014a6a75b6ec59b054bd

SHA256
873ee39c32990c6dc1263072196f12a4ed61e742dcb98f761f7d0f2175691d29

SHA512
5127af605eff0b7ce0b0bd7a8565f1be0bb618792590b88b6275ad77626e277c1bed96002bdd8d2b1ec91d43d5d3a6fa431b860d4d3f98910cd89fd6ecae2951

Download Submit
\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
918KB

MD5
8c7243a3304d1947938a5c782ac20517

SHA1
e37bc93bc6355f992fa83021e448e3eedc34eb81

SHA256
0c14d29e9792c572ccdba1961a40463fba636910149c05755d2d3ac24f03cb57

SHA512
46d5fb447a102a52a5bef28179bc29475a340bf19b318d0ebfea18862e0904c9845c47ca7f00e38b2d2a1b31d8f1beaab70ddb6cadd44778c3acb3ada2a50936

Download Submit
\Users\Admin\AppData\Local\Temp\nsd451D.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nso5535.tmp.exe

Filesize
155KB

MD5
c9a8c9fcb266f2242be63f88087a1b83

SHA1
1b3ad82b6f024b5b5f3ba35186f8d59810fd058a

SHA256
5dceade5990cd484f4468c8facca91c5adfb434e73aca4ee8e4c6b075f406fd8

SHA512
0c0f01e585133c35e6c89399cf70174213290b7e6125c4d8baebc8c97e9ecaf72aab40522fc8fca15f555c906241de630cdd8031cf4295fa59e82fda5082c18a

Download Submit
\Users\Admin\AppData\Local\Temp\nso5535.tmp.exe

Filesize
155KB

MD5
7110cf3becc36f55fb211436eb238b94

SHA1
e5de7871fe2add2452403baacd4b486008ae68fc

SHA256
00f00616725c590a2ab6d0e0658e3f3c4a98c6e93466b025893dd32b20c6e766

SHA512
15175e1f0e67b4115f294bc6e7f9595fd0277127235ca9ad20d3165296f0890748fba57bc94b7a8c3f11360a32340d0e27189d44889926b774096329be6d368e

Download Submit
memory/1736-10-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1736-99-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1736-69-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2756-34-0x0000000000D70000-0x0000000000E70000-memory.dmp

Filesize
1024KB

Download
memory/2756-37-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2756-97-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2756-36-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2756-109-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2756-110-0x0000000000D70000-0x0000000000E70000-memory.dmp

Filesize
1024KB

Download
memory/2756-112-0x0000000000D70000-0x0000000000E70000-memory.dmp

Filesize
1024KB

Download
memory/2756-111-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2756-35-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download