Overview

overview

10

Static

static

7

033362225c...85.exe

windows7-x64

10

033362225c...85.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 17:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    033362225cf09b9ae543da265c7d1885.exe

  • Size

    3.4MB

  • MD5

    033362225cf09b9ae543da265c7d1885

  • SHA1

    4d2b95b71dd92277718b54a341ba62b24c95c888

  • SHA256

    9388288b3a18d968cd47446d545eb63d272bac65c0ad1d490beb389d94d2e9e0

  • SHA512

    41b858735f309c938db681cd1a974dd47c7ff0fe3286f713ce50d4c7e070e64af26dd9a2dfe59f7a559d4255557d0926406c66996edb819ab466f4527349543e

  • SSDEEP

    98304:UVrHzZ9ACjcIOrJkqn7lAmpe+oO8XuhAAe9tSys3mm:UVDzZCkcI66qn7lAmlobXuO9tSvf

Score
10/10
darkstealerechelonbackdoorcollectiondiscoveryevasionspywarestealerthemidatrojan

Malware Config

Signatures

  • Darkstealer

    Darkstealer is a file grabber, data stealer, and RAT.

    trojanbackdoordarkstealer
  • Detects Echelon Stealer payload 3 IoCs
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Echelon - DarkStealer Fork 3 IoCs

    Payload resembles modified variant of Echelon Stealer called DarkStealer.

    stealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\033362225cf09b9ae543da265c7d1885.exe
    "C:\Users\Admin\AppData\Local\Temp\033362225cf09b9ae543da265c7d1885.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Accesses Microsoft Outlook profiles
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2888-0-0x0000000001190000-0x0000000001AD8000-memory.dmp
    Filesize

    9.3MB

    Download
  • memory/2888-1-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-2-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-3-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-4-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-6-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-17-0x00000000750C0000-0x0000000075107000-memory.dmp
    Filesize

    284KB

    Download
  • memory/2888-22-0x0000000077540000-0x0000000077542000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2888-21-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-25-0x0000000001190000-0x0000000001AD8000-memory.dmp
    Filesize

    9.3MB

    Download
  • memory/2888-24-0x0000000001190000-0x0000000001AD8000-memory.dmp
    Filesize

    9.3MB

    Download
  • memory/2888-23-0x0000000074550000-0x0000000074C3E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2888-20-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-19-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-27-0x00000000051C0000-0x0000000005200000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2888-18-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-16-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-15-0x00000000750C0000-0x0000000075107000-memory.dmp
    Filesize

    284KB

    Download
  • memory/2888-14-0x00000000750C0000-0x0000000075107000-memory.dmp
    Filesize

    284KB

    Download
  • memory/2888-13-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-12-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-11-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-10-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-9-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-5-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2888-87-0x0000000001190000-0x0000000001AD8000-memory.dmp
    Filesize

    9.3MB

    Download
  • memory/2888-89-0x00000000750C0000-0x0000000075107000-memory.dmp
    Filesize

    284KB

    Download
  • memory/2888-90-0x0000000074550000-0x0000000074C3E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2888-88-0x0000000075740000-0x0000000075850000-memory.dmp
    Filesize

    1.1MB

    Download