stealc | 920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791

General

Target

920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
Size

2.3MB
MD5

9277e82030f3f80d2acb91ca8a2e21bb
SHA1

ea7e13d61fec22537017c241236a418bac2030e1
SHA256

920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791
SHA512

6333271a3e1ee84d0d0038c189c326832dabb4f1a4d1e3f8b63b367ff3ee3409d5b386da47ac40a3e6606a0ed69d1d06dccbc32308dc13da243e79e9d360b701
SSDEEP

49152:7L2s5FXQ4EmojLjCRELVf7Avil+dHIsLp1thIikN+6u2hs8:7pzX71oDCRAZUviAHImDqia7hs8

Score

10^/10

stealc discovery spyware stealer

Malware Config

Extracted

Family

stealc

C2

http://77.91.76.36

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3528	Broom.exe
2952	nsr2EEE.tmp.exe

Loads dropped DLL 6 IoCs

pid	Process
3848	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
3848	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
3848	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
2952	nsr2EEE.tmp.exe
2952	nsr2EEE.tmp.exe
3848	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsr2EEE.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsr2EEE.tmp.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3208	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2952	nsr2EEE.tmp.exe
2952	nsr2EEE.tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3528	Broom.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 3528	3848	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe	71
PID 3848 wrote to memory of 3528	3848	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe	71
PID 3848 wrote to memory of 3528	3848	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe	71
PID 3848 wrote to memory of 2952	3848	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe	72
PID 3848 wrote to memory of 2952	3848	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe	72
PID 3848 wrote to memory of 2952	3848	920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe	72
PID 2952 wrote to memory of 64	2952	nsr2EEE.tmp.exe	75
PID 2952 wrote to memory of 64	2952	nsr2EEE.tmp.exe	75
PID 2952 wrote to memory of 64	2952	nsr2EEE.tmp.exe	75
PID 64 wrote to memory of 3208	64	cmd.exe	74
PID 64 wrote to memory of 3208	64	cmd.exe	74
PID 64 wrote to memory of 3208	64	cmd.exe	74

C:\Users\Admin\AppData\Local\Temp\920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
"C:\Users\Admin\AppData\Local\Temp\920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Users\Admin\AppData\Local\Temp\Broom.exe
  C:\Users\Admin\AppData\Local\Temp\Broom.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3528
- C:\Users\Admin\AppData\Local\Temp\nsr2EEE.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\nsr2EEE.tmp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsr2EEE.tmp.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:64

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
1⤵
- Delays execution with timeout.exe
PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
301KB

MD5
31d94817d53eb8e6cf696b62708d2ac3

SHA1
221c6d910b6a37b201e675d4e8109ac3c717189f

SHA256
b31b07e67bfa6ea31aaeeb458f020d5f99a38b3db975dcb6219768c565f4067c

SHA512
def2ba5aa97b8d68cd2b22e2eb405b6b4f459c6ebd3afb0d3dbf4647a6d0b0c20ecbbc46211a161c56dc0fd9e3051e5f5de36e65a26db89caa8ae9ded073ae51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr2EEE.tmp.exe

Filesize
334KB

MD5
580930ca34bb39e081064bab11f16a97

SHA1
75afd6b341a833ebec15116da3672b203f81d067

SHA256
aaa8d75cc5a3aadf9d4d3c2c9f45217c85db2804bb9ec7a718319ad80311baf9

SHA512
2d0e4935a7ccacedb6a4a95077d3658aca1913da001cbb55d3756f3e581d5e2164d136241f86d91828099d8b3c882a68fee34478e041831c1ec9d9d5e1eb75ed

Download Submit
\ProgramData\mozglue.dll

Filesize
368KB

MD5
7e55d6f45330c77e48672a138c0c813a

SHA1
5313c2776bd31d2859d032ff0b8ad4d4b3563409

SHA256
26ae134b4dd0f458eaa20fdfe0a722e34584eef7a620881f03d5d19046242452

SHA512
ae5e185b54dad23c25a0749390f8da675d9ec752b8292bc8b131c03fbaf57ef2bae27da3d80f727309de48bc72a4faec8bf0e2150c3df48ff5cfdb985f0e8b84

Download Submit
\ProgramData\nss3.dll

Filesize
297KB

MD5
c5f2b221c9c74068eadf9e315981059d

SHA1
9414d3b2bbf48bc3ed589c06647e456892d1ce5c

SHA256
a9a491d5acc79a6b1b718d3325341d711ac86e3edbf3f08c9f5ee52b56673c8b

SHA512
09b619f2b719099cb3bdace79c2d9ab648c2d884203d753c9120ca91b6360068c2f6f756bfa6d65502bb9b3e03d1ee068fb2df0d8ec16a6cfc1c7d8dbe3f5ace

Download Submit
\Users\Admin\AppData\Local\Temp\nszD1B9.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
memory/2952-31-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2952-29-0x0000000000C30000-0x0000000000D30000-memory.dmp

Filesize
1024KB

Download
memory/2952-32-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2952-30-0x00000000027A0000-0x00000000027BC000-memory.dmp

Filesize
112KB

Download
memory/2952-94-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2952-108-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2952-114-0x0000000000C30000-0x0000000000D30000-memory.dmp

Filesize
1024KB

Download
memory/2952-115-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2952-116-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3528-18-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/3528-8-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/3528-7-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing