stealc | 5b7684625a58dfd9443876d3e79c984c1db3e4d57f022af109bc156de3568d87

General

Target

12f842c1065cf459f3e9fccf3abd75cc37af8f65c06bc7e93f29ec2cbdba9832.exe
Size

2.4MB
MD5

b1ce78925165a38b75a7a9717dfdc729
SHA1

483da845f077f1bbeb190381bb0566b291beca8d
SHA256

12f842c1065cf459f3e9fccf3abd75cc37af8f65c06bc7e93f29ec2cbdba9832
SHA512

ddf27f54eea14bdd6ff463fbb94076046abf59d74db5a4e912049558681807a5e35d962d3eaa91b836706d3a118acab750512b7fc798d0c70303ff15c452868d
SSDEEP

49152:vb2s5FXQ4EmojLjCRELVf7Avil+dHIsLp1thIikN+6u2hsn:vZzX71oDCRAZUviAHImDqia7hsn

Score

10^/10

stealc stealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2396	BroomSetup.exe

Loads dropped DLL 2 IoCs

pid	Process
2844	12f842c1065cf459f3e9fccf3abd75cc37af8f65c06bc7e93f29ec2cbdba9832.exe
2844	12f842c1065cf459f3e9fccf3abd75cc37af8f65c06bc7e93f29ec2cbdba9832.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2396	2844	12f842c1065cf459f3e9fccf3abd75cc37af8f65c06bc7e93f29ec2cbdba9832.exe	17
PID 2844 wrote to memory of 2396	2844	12f842c1065cf459f3e9fccf3abd75cc37af8f65c06bc7e93f29ec2cbdba9832.exe	17
PID 2844 wrote to memory of 2396	2844	12f842c1065cf459f3e9fccf3abd75cc37af8f65c06bc7e93f29ec2cbdba9832.exe	17
PID 2844 wrote to memory of 2396	2844	12f842c1065cf459f3e9fccf3abd75cc37af8f65c06bc7e93f29ec2cbdba9832.exe	17
PID 2844 wrote to memory of 2396	2844	12f842c1065cf459f3e9fccf3abd75cc37af8f65c06bc7e93f29ec2cbdba9832.exe	17
PID 2844 wrote to memory of 2396	2844	12f842c1065cf459f3e9fccf3abd75cc37af8f65c06bc7e93f29ec2cbdba9832.exe	17
PID 2844 wrote to memory of 2396	2844	12f842c1065cf459f3e9fccf3abd75cc37af8f65c06bc7e93f29ec2cbdba9832.exe	17

C:\Users\Admin\AppData\Local\Temp\12f842c1065cf459f3e9fccf3abd75cc37af8f65c06bc7e93f29ec2cbdba9832.exe
"C:\Users\Admin\AppData\Local\Temp\12f842c1065cf459f3e9fccf3abd75cc37af8f65c06bc7e93f29ec2cbdba9832.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
  C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Users\Admin\AppData\Local\Temp\nsoC68D.tmp
  C:\Users\Admin\AppData\Local\Temp\nsoC68D.tmp
  2⤵
  PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
89KB

MD5
d97a903ca9291841e4d90c045bd8d3bb

SHA1
2c8a9cf048e7c4333d98326205917df164485b47

SHA256
c865109c072ff1fd9e6645fe5d5c0299600ca9d211095a5749f8ed2714e21a40

SHA512
f2872c5638be5ae5eb4b2963bb25040f97106cac194eda25d310a27a35885afddcd815e8d059b46a2dbd657d206b4caf3a5df890fc95936f311b7db3fca70efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\INetC.dll

Filesize
1KB

MD5
c7ae096c02849c7eeb07623b18de8a59

SHA1
9f57c75aa9f96121413a793d356d876a09f564ca

SHA256
711ce1b5b08d30470c7cb844d2dd9345ffb6c2add9392f56a86e8c515ba89ed0

SHA512
2a070a13ed45b3cc289f8174eb313d244daf10c1ae36c837f305b450bf2f1b839850eed70f672bb94c75117fe232341b01a868824e42d4d01ddd754fa9b5670c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC68D.tmp

Filesize
9KB

MD5
4df7bb44bc3a97991ea26a3f480fae77

SHA1
eab29f3beff005f5deb3bf1e721e456d12b8c1ae

SHA256
c75cbfe15b64db1a7d3bedf73f5c35d66f0c44e68868578ee3f673aab77b4f0b

SHA512
ae2ac3b5d4160f5e8907530a1db6767aafdf559f3715772893261bd2fc0ce3c0bf35a7c4baadf1f9f0ad91a7638e92f4a366f502462f3aad27b30fc00ad310ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC68D.tmp

Filesize
35KB

MD5
6652f40d98245cb0191fabbec84a1259

SHA1
96ea3ee46e11c9106c189ef92548e4be2aac7142

SHA256
e695e8076fc1f1e05ade05cb792835457e2ef6a5dde9c1eef67f3d5502f19e96

SHA512
983197c45baefa8e5dfeadf6138d1db5eb8d989054041a2d9719490dcb6dbd8ceac8873b5ead4cf2e9ee7bd9291b46191218a852cd9f47bd92f3c6955d7b12d8

Download Submit
\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
12KB

MD5
e8f5b1f5af97824bd15a7f03cd57f8cb

SHA1
e5c66a16b46d70b27070b847d0239bae1857c737

SHA256
038c29b78956037708909b89ffe27ab82629e724a6122e5e84aa903d5d7b4697

SHA512
a893b088ab2b0a327c4e19bc2748ef02df2fe16dbf1ac5076d31558acb7a013f1234783f064e2d1f4d660b17b9bf8042b045c57e519f665a1153cf5b31a9170f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi13E0.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC68D.tmp

Filesize
53KB

MD5
6c465be93a0d554eb6bdc72b03935dfa

SHA1
349edfab18d9b5994ae2bcbadd393882047ff683

SHA256
8a70b458520c5e7e666bb5c610be6f7da687cc71bfdd59991a72e18343b42087

SHA512
db9dcf4e2bf6de17bc3d62d26ed7cc1d04c5c766ed8ada43a2cb95df64e748cbd40b0a46f71742a921302fd5b3c35875559c436a7eb55e6ee3bbc091bc577a29

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC68D.tmp

Filesize
46KB

MD5
e25ce8ee1c33adfe54803708f57f29bd

SHA1
bbead62715d3d72afd9982311f7d2cbc4e7f2455

SHA256
7306b3393947e0523073ec4e092026a67001b9a573c5ec69492e94ce38239207

SHA512
10640f339bc098d6ec03069cf3ed520abb66d628c5868d2b86cb099eb3544717c7780e1c22170a6ac4a19a566f7c314910d8e0abf5a727d5b592461684e85ae0

Download Submit
memory/1780-49-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1780-48-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1780-47-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1780-51-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1780-54-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/2396-21-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2396-19-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2396-10-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing