Analysis

  • max time kernel
    298s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2024 13:28

General

  • Target

    build.exe

  • Size

    1.6MB

  • MD5

    15eba7d0774bde08d568decf06d12bea

  • SHA1

    353a759556e0763fb3929b4e7832ec921f4dccf8

  • SHA256

    c024b744939bf56b0b8ace99b765be45985d9942b4bf8141eeebd723ab30f095

  • SHA512

    cd1ffa0f2c1180548b33da9738f1e39a1e5e2ea7a5f6cd7c17a5b8bc0f298c9184a311ed012c0e407df7fbadc85b6332b83016efeebf761091fedecb2c8ef741

  • SSDEEP

    49152:/kTq24GjdGSiqkqXfd+/9AqYanieKdsx:/1EjdGSiqkqXf0FLYW

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1195358238842044506/G9asg_ROS67f76luy2HcmQaqPL-g8wQe7Wq2rI7i-9xFGjH8kRD3cQ_zRKvuxI_PU_Hw

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2672
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\findstr.exe
        findstr All
        3⤵
          PID:2492
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:2520
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            3⤵
              PID:1444
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2480
        • C:\Windows\system32\msiexec.exe
          C:\Windows\system32\msiexec.exe /V
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2328
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          1⤵
            PID:2276
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show networks mode=bssid
            1⤵
              PID:1156

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              ab27180e7d6f87edf5a77880f3d4a545

              SHA1

              da080ce62053130310d345a0f4000596e4040459

              SHA256

              19bf0c1191f1cd1ea43beeeb6bcb47d43019d960989a5d06cee858c3e72959b4

              SHA512

              6f85503568d0aa705ed3bd178769521b30007b2c90e0d2f7c8f461e59cee40e057d8190ca62980b47828eedc19fdf4cac48ba7b4baa61ba394e73ed8074345ce

            • C:\Users\Admin\AppData\Local\Temp\Cab875B.tmp

              Filesize

              56KB

              MD5

              73871dfa19508bb55ddae14a24aeb0e5

              SHA1

              866b8a17ac7d984379c169668bb5c5cb77790031

              SHA256

              5aef7294358b2dd26e1de762049698adfca89a4ad83a6aa0cf068340c46ddfa7

              SHA512

              2147fe4e6871f4a6505186b25cd758d802ff556c0fa547947ce63c4589f80c3baf2c3c64e08285d39c316a038f69f9db8ed7871cd55d4cd1246007a128228728

            • C:\Users\Admin\AppData\Local\Temp\Tar879C.tmp

              Filesize

              64KB

              MD5

              69b8e2fe3bb7142b759bbc3bd3092cc2

              SHA1

              c55b032e44415d77a1a2f3f6c6c049b7cc32afd7

              SHA256

              d31cf766104ab57466eca8c74b0b1dc3f7729270b60df98dde747087ec3e8bb4

              SHA512

              c3b3ca6861a0e35822f0c5b6085f7fc1444b051548aec4362723d1b7a14b72cd832335ca29eea23ce8f9fb71f4ac76c6bf2b58a220722e7843461bf095970b7b

            • C:\Users\Admin\AppData\Local\be742bb0d75f1d84771c6471b8daea79\Admin@AILVMYUM_en-US\Browsers\Firefox\Bookmarks.txt

              Filesize

              105B

              MD5

              2e9d094dda5cdc3ce6519f75943a4ff4

              SHA1

              5d989b4ac8b699781681fe75ed9ef98191a5096c

              SHA256

              c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

              SHA512

              d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

            • C:\Users\Admin\AppData\Local\be742bb0d75f1d84771c6471b8daea79\Admin@AILVMYUM_en-US\Directories\Startup.txt

              Filesize

              24B

              MD5

              68c93da4981d591704cea7b71cebfb97

              SHA1

              fd0f8d97463cd33892cc828b4ad04e03fc014fa6

              SHA256

              889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

              SHA512

              63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

            • C:\Users\Admin\AppData\Local\be742bb0d75f1d84771c6471b8daea79\Admin@AILVMYUM_en-US\Directories\Videos.txt

              Filesize

              23B

              MD5

              1fddbf1169b6c75898b86e7e24bc7c1f

              SHA1

              d2091060cb5191ff70eb99c0088c182e80c20f8c

              SHA256

              a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

              SHA512

              20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

            • C:\Users\Admin\AppData\Local\be742bb0d75f1d84771c6471b8daea79\Admin@AILVMYUM_en-US\System\Apps.txt

              Filesize

              2KB

              MD5

              d34f507dfed49c5d1317b3a3e82b4e6d

              SHA1

              ff256742e8f1a766a8921594e406383815798010

              SHA256

              ab8fec8a0279ec05b34914d4e61ea6f9da76fda110e8be3b6b21a64d607a3c86

              SHA512

              81f2783c87a7068c5c9857b932fe5ed4858ba12c8312a795dcc74cf3b3eebf157b166158fb208b477111cb69bc882ba6a0849d93eee55dced86a8ca22d0e6c2e

            • C:\Users\Admin\AppData\Local\be742bb0d75f1d84771c6471b8daea79\Admin@AILVMYUM_en-US\System\Apps.txt

              Filesize

              6KB

              MD5

              76ace6bad8d524d9f4090a049af05311

              SHA1

              c74030e5a69720fa472411f3c8285f7fc058e89d

              SHA256

              c86eae74b4ce67489740b33ce1aa04161d37de3fcad76d204ac26214123b026c

              SHA512

              a45424354367aa98970c5f091055f774160b6bc3741deb926922b31382295dc8a5e0ddd1d4fe26cfdd72816db170536a4bae54fccdc9fe4f8e3a5b115366e2f2

            • C:\Users\Admin\AppData\Local\be742bb0d75f1d84771c6471b8daea79\Admin@AILVMYUM_en-US\System\ProductKey.txt

              Filesize

              29B

              MD5

              cad6c6bee6c11c88f5e2f69f0be6deb7

              SHA1

              289d74c3bebe6cca4e1d2e084482ad6d21316c84

              SHA256

              dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

              SHA512

              e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

            • C:\Users\Admin\AppData\Local\be742bb0d75f1d84771c6471b8daea79\msgid.dat

              Filesize

              19B

              MD5

              7857410e4cc6bc3b5434ac60abf3244e

              SHA1

              c45673ee717b23ef4a62b6f606cd3962ac28d199

              SHA256

              3ba077759fb73bda474069afd402b52e1abfacdbf294c4c9bc084a645423f863

              SHA512

              82063635662877a7c5d99f285c1b1d08f98adcfcc6afe4d4756bbcb8b778ee0dc40bcd1f725b740117577fb086a7b5cd11780272c16dcc096f60e331ac2a5e0a

            • memory/2672-153-0x00000000065F0000-0x000000000666A000-memory.dmp

              Filesize

              488KB

            • memory/2672-111-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

              Filesize

              256KB

            • memory/2672-0-0x0000000001320000-0x00000000014B2000-memory.dmp

              Filesize

              1.6MB

            • memory/2672-110-0x0000000074E30000-0x000000007551E000-memory.dmp

              Filesize

              6.9MB

            • memory/2672-4-0x0000000000480000-0x00000000004A6000-memory.dmp

              Filesize

              152KB

            • memory/2672-3-0x0000000000BB0000-0x0000000000C42000-memory.dmp

              Filesize

              584KB

            • memory/2672-5-0x00000000004B0000-0x00000000004B8000-memory.dmp

              Filesize

              32KB

            • memory/2672-2-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

              Filesize

              256KB

            • memory/2672-108-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

              Filesize

              256KB

            • memory/2672-41-0x0000000000690000-0x0000000000698000-memory.dmp

              Filesize

              32KB

            • memory/2672-42-0x00000000006E0000-0x00000000006FE000-memory.dmp

              Filesize

              120KB

            • memory/2672-211-0x00000000069D0000-0x0000000006A82000-memory.dmp

              Filesize

              712KB

            • memory/2672-1-0x0000000074E30000-0x000000007551E000-memory.dmp

              Filesize

              6.9MB

            • memory/2672-294-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

              Filesize

              256KB

            • memory/2672-40-0x00000000005D0000-0x00000000005DA000-memory.dmp

              Filesize

              40KB

            • memory/2672-302-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

              Filesize

              256KB

            • memory/2672-303-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

              Filesize

              256KB