stealc | a79f99c968f55057aa6469f94dc3b0b2415e88dbae46382f280f55453b7bd164

General

Target

a79f99c968f55057aa6469f94dc3b0b2415e88dbae46382f280f55453b7bd164.exe
Size

333KB
MD5

a63e4abfd1a99c443dffc47b13cff274
SHA1

4fce47a297b87d7c763561df085be0c5e0b60e72
SHA256

a79f99c968f55057aa6469f94dc3b0b2415e88dbae46382f280f55453b7bd164
SHA512

2019c5a67655e4d8097e6d2a926f4a8d8854f756e060eb95cd8663dfcc228bdf3719e0caa361d8065f495bdc00ba57b12c63091953091e65971ec81b2aa366b7
SSDEEP

3072:l7ZzIn7RKTJDRFXQbGjLmYEaBT8t2oH2FKllOfKIq8AdB+7nM1TNH9e:JFIohXLjLmJa4ISSKVdOM

Score

10^/10

stealc discovery spyware stealer

Malware Config

Extracted

Family

stealc

C2

http://77.91.76.36

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Loads dropped DLL 2 IoCs

pid	Process
4784	a79f99c968f55057aa6469f94dc3b0b2415e88dbae46382f280f55453b7bd164.exe
4784	a79f99c968f55057aa6469f94dc3b0b2415e88dbae46382f280f55453b7bd164.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1276	4784	WerFault.exe	15

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a79f99c968f55057aa6469f94dc3b0b2415e88dbae46382f280f55453b7bd164.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a79f99c968f55057aa6469f94dc3b0b2415e88dbae46382f280f55453b7bd164.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1664	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4784	a79f99c968f55057aa6469f94dc3b0b2415e88dbae46382f280f55453b7bd164.exe
4784	a79f99c968f55057aa6469f94dc3b0b2415e88dbae46382f280f55453b7bd164.exe

C:\Users\Admin\AppData\Local\Temp\a79f99c968f55057aa6469f94dc3b0b2415e88dbae46382f280f55453b7bd164.exe
"C:\Users\Admin\AppData\Local\Temp\a79f99c968f55057aa6469f94dc3b0b2415e88dbae46382f280f55453b7bd164.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a79f99c968f55057aa6469f94dc3b0b2415e88dbae46382f280f55453b7bd164.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 2308
  2⤵
  - Program crash
  PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4784 -ip 4784
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
230KB

MD5
2888686376fae667beb35b20e0b0a395

SHA1
a0af67b6506dfca0f8f150edb4ce8785a36b590b

SHA256
59fb2f6e170f0cca352bd58f9419c2b9fef501e9d7288b064504b0eb87ec139d

SHA512
cab895bc9fa96fa09bfa8a28aed5f575835479727e1297a550505b91d7053070b2e6c97dd39e6c33b46d7d8b23f77858693841c896f6efb5dc1095f803968161

Download Submit
C:\ProgramData\mozglue.dll

Filesize
211KB

MD5
55e936a84a14cd365465d97136aaff1d

SHA1
d5c0e0c55e4d6b1e0a14ceaf83b24a1a182fda9a

SHA256
451d49f495326e77ea092a397288e5961dba366cc8b7a45d5b2c0c02459b62d1

SHA512
0d19fd37a16d9fd918f6258b231bbc3c39293956336d90cae0f3883a77ff0b9325d6388d92a72ccc14167f4c058c772e679ae91882edb874efa30ad6d43ad48c

Download Submit
C:\ProgramData\nss3.dll

Filesize
307KB

MD5
b5cc466b84f7856aae8d745118aadb01

SHA1
5a8e241f3f006b69f8421ab07cdb206cc3a0e9b3

SHA256
7716caae986978f197d5b34b256868171c7aea8081eb920335b6114437d90b6f

SHA512
30f02e913d7d56fcf74c1bc9bd0c6e9ba360abac6b7a3dda8f903d211c46398b9bc0fd3504ab264cc5599d7db7f00d7643df7df20f9f517819d878a8f3ec69ff

Download Submit
memory/4784-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4784-1-0x0000000000DA0000-0x0000000000EA0000-memory.dmp

Filesize
1024KB

Download
memory/4784-3-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4784-72-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4784-81-0x0000000000DA0000-0x0000000000EA0000-memory.dmp

Filesize
1024KB

Download
memory/4784-80-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4784-88-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4784-93-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4784-2-0x0000000000D50000-0x0000000000D6C000-memory.dmp

Filesize
112KB

Download
memory/4784-101-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing