stealc | 21bc9284cc3a78d74045780b99fe065c7a5170c5f25b74fd948cb08e8fa90fcf

General

Target

SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe
Size

280KB
MD5

d6803baa9bb7388f379e6286521882db
SHA1

63ea3f5558ac9e5ad61fac7710d8301284dace4e
SHA256

21bc9284cc3a78d74045780b99fe065c7a5170c5f25b74fd948cb08e8fa90fcf
SHA512

4701c743d706f56d7519805f58e5314015d83d75978fdd333c46f6a651876f2f79960b8716a75a0efe8496de85d1cd75abba38dda66bbdc258c9fe14152a38c3
SSDEEP

6144:A45RW6ILF3YX78gJaayjOFjG6jPk2MSl:AsRWBE78gJ1yjwrk+

Score

10^/10

stealc discovery spyware stealer

Malware Config

Extracted

Family

stealc

C2

http://5.42.64.41

Attributes

url_path
/40d570f44e84a454.php

rc4.plain

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe

Loads dropped DLL 4 IoCs

pid	Process
2280	SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe
2280	SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe
2280	SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe
2280	SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4444	2280	WerFault.exe	83

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1936	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2280	SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe
2280	SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1152	2280	SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe	96
PID 2280 wrote to memory of 1152	2280	SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe	96
PID 2280 wrote to memory of 1152	2280	SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe	96
PID 1152 wrote to memory of 1936	1152	cmd.exe	99
PID 1152 wrote to memory of 1936	1152	cmd.exe	99
PID 1152 wrote to memory of 1936	1152	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.31232.1531.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 2456
  2⤵
  - Program crash
  PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2280 -ip 2280
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
106KB

MD5
dbe4f2209d085b56a9982b79e82e4c66

SHA1
d786f87950474157e064446fe348221e552cf38d

SHA256
8a6ed1368f0e4efeaaca1324f5ee1fea84a86e178189a4e3ed4786a2ba607e0b

SHA512
f4c6bfdb0ac319e9950e2e39d9ddcbcdcb3142a50d9d756c034b04457af192eb2d80d8da3b3db60af192d707779b3630ad5eecc35f4949e83b369f731363fc18

Download Submit
C:\ProgramData\mozglue.dll

Filesize
92KB

MD5
8297f90b707a4f0eaddb1de819c4206f

SHA1
6b7cae185d493062e04f515ff33a53af275c1915

SHA256
d1529550d4e3a40b478c582c8d9e96d95d73f4b91084ff1dd3221914eb22196a

SHA512
0de1bcc849941630e0166e426f57610a1036f06ffa45c21078b3cc5ddfb20acb45c5e0b8912689aaf4545126b1d0498646e267fd716ef6e9b7ddba601f265175

Download Submit
C:\ProgramData\nss3.dll

Filesize
149KB

MD5
b3d4ecdfc85e846ba31dcd7c0460c622

SHA1
322a6881189162e8e430ec0f0ab6818bd63b2c21

SHA256
df2c9614bc228a4094def506debab3ca7232b3eeaf4f5cf63d2ba3eb3410ca93

SHA512
52f6836b1e2c5564aecdc7b427225f83c8c7bcc0c111f9b134adfb50697ffe0147d1834abfb87c31dfb3621b81a7c8fd8625e6859b942e4b5ac7499acf84f603

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
memory/2280-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2280-52-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2280-1-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/2280-81-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/2280-82-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2280-2-0x00000000007F0000-0x000000000080C000-memory.dmp

Filesize
112KB

Download
memory/2280-3-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2280-91-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads