Analysis
-
max time kernel
121s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
19-01-2024 15:31
General
-
Target
Creal-Stealer-main/builder.bat
-
Size
57B
-
MD5
c856a1995fa86d5bf3dde2a2de732d93
-
SHA1
21de21d0ea29ffb9f3061b5d81116408dd228cb8
-
SHA256
23fb3df8dca77c02ab3d76013b6e12a2a1fda1a93ef675211c77df9ec6ce39bd
-
SHA512
793fb9e4d8b146a4e8d6e0dfa2d756ade17143420215f6b10646758bff39df964f6fa29761b4c6755dac7d1f8aea81152ac615d5b91bcea6018f997d0ecb5715
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Creal-Stealer-main\builder.bat"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc93d246f8,0x7ffc93d24708,0x7ffc93d247181⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.0.958029262\1180018747" -parentBuildID 20221007134813 -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40aae7c6-727e-409a-a9de-a12d990b441b} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 1920 1bad0ed6b58 gpu2⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.1.700148750\1150867063" -parentBuildID 20221007134813 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d51441c4-aa2f-4a17-ae3e-84d0ba29c8d1} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 2344 1bad09e6558 socket2⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.2.146355027\545244647" -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3096 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1156 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64f164cc-f71b-4adc-b5a6-3e87e568d60d} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 2996 1bad4ca8a58 tab2⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.3.1311892762\135825176" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3472 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1156 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78ac46ef-1835-47de-bb14-6067a65f60b5} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 1464 1babcf67e58 tab2⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.4.2066703345\1399653630" -childID 3 -isForBrowser -prefsHandle 4456 -prefMapHandle 4452 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1156 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8f2bbf2-a8c4-463c-8e9a-ae52432d8570} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 4468 1bad62c9258 tab2⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.5.1109027651\445267736" -childID 4 -isForBrowser -prefsHandle 4852 -prefMapHandle 4944 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1156 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f6b18cf-08c4-4f9c-8647-c9c44524f696} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 4948 1bad4db4258 tab2⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.7.1032112295\1812770801" -childID 6 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1156 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ee320dc-a3e9-4588-812e-607be0e5c276} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 5396 1bad6a93658 tab2⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.6.1753025575\822527102" -childID 5 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1156 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f300c90c-b0af-41b3-a397-26860059b0af} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 5108 1bad6a93058 tab2⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.8.102034768\650706892" -childID 7 -isForBrowser -prefsHandle 6016 -prefMapHandle 4220 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1156 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2514210d-e0be-4eeb-ad0e-0e1edf7ccbf7} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 5808 1bad3214458 tab2⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7914214632208037287,18008220081824211583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:31⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7914214632208037287,18008220081824211583,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:21⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7914214632208037287,18008220081824211583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:81⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7914214632208037287,18008220081824211583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7914214632208037287,18008220081824211583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:11⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7914214632208037287,18008220081824211583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7914214632208037287,18008220081824211583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:11⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Cstealer\Creal-Stealer-main\install.bat" "1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Cstealer\Creal-Stealer-main\install.bat"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Cstealer\Creal-Stealer-main\install.bat" "1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
41KB
MD52790b81ba74e4b8453e228a452885db2
SHA1b07901585c8a15132c6f77cf3db3e8a0477a19c6
SHA2560306142de7f010c17d23cc16f3856170d89d8c9465c130a8e5292105d58ea92d
SHA5124fd8cbc31e8bae6924780d29fb5608ad5010d69f96eb8d65e36f8f01168091a50876a0f7885cf599c23937886235d74fc7211d70868fe9617d67b3a4d54c47ab
-
Filesize
28KB
MD599d048110bd8869ed20df3eddad45102
SHA18d976f82751fc16e48d27c718439c912e0f74a69
SHA2563ce6a0f6e802532ba07df77dc3d54e16d81c8f8dd32f5f8777e36b6cad89d527
SHA51230a6c4c291424ce479963239024f81657751a6f10fe56ee1af24118e90e4e1055d6391505d49cb736f2c57c60a5f3f1ce802e4fcfae56b9746027a6b18bce65f
-
Filesize
2KB
MD5f20aa4e6abd0f4a4feb4047ef0e2a592
SHA1dd61b0fcd0e5499a78322cd3af597ce0d4dbf7b9
SHA256441757814696d914f29ae5bff605c0e1fce66f9f3f70f5ecbfb6417444f6b209
SHA51202f8ba22da499f2d7d20dffafb23c13557139e9e1ef5773033051908b1eaf21ad1f536bddf71a3622d37a793ed7035452c568a74999675e064ff11cf8d2291dc
-
Filesize
746B
MD5ffd87c59961328f7fbe17c5640f67ed9
SHA1aca50ae5267f1c5a8b206176777e4580760d2730
SHA25691cfc680d9a5e18a029a0109f6fdd94c9a191a3c8799b672413f1cfa5bc209c1
SHA512a8b15751e04fa2e8c77b51f95d6442a5d7fe3dfc2ede8a408726d6e58d6d058f68da6a238abfa503ddab835c21998d870b889a3b5f5891119d4f74546cf3aa3e
-
Filesize
11KB
MD58654c5983b8fa22051c6e680d510a455
SHA1314000d27687845380ab6f6b73278439f93dca72
SHA25662189a818e53759ff65b0630461b1bf3585caaab5c095b23c4b8e6b417c4cb13
SHA5122494a0f5f2521e4efbf6688cee81bc1209b716d5ad87ad0b2c923d196c4b1442924060e43ee3070d342158b56af8794ff83b6f698913cf8025fc69fba8403f4c
-
Filesize
6KB
MD5604d336fa2fb909a27195d6da780b884
SHA1afe37c36069caaff2f6406ccf29d6d63c40ebf62
SHA256e0fc65c67cf84412406ee4254cabc5b42f1e6db25f634ca8669cc306e3105958
SHA51224df075d73f4c46ee3de4b998a8a275cd39eae645ad5e70ca4ea54505e3a365d5aa24e3f40aef54790617d57978a79f1afcfe7c993f9ee47cf27551dc2056da0
-
Filesize
6KB
MD51ca0f3493657bc696bc1009103fd0a8c
SHA1d8419c65f5d8f6edcbf80adf1cae5124d038d813
SHA256db72cf734d79ea6b3abf6e995e92a55a79ad76716b0b00246be0d0d452dad83b
SHA51277ff49ea05dd59a2842e08c624c337d30988a5805a532f8f7a31217664688b56660c12567080b3f2c26ec2f5d4fbf804a0f3a8cac4b3d303f1e4ae0543191de5
-
Filesize
2KB
MD539bd0bf1188e55b6453d959f279e0781
SHA10cc03e73ca7e56913679e19244cabcdb5fe7d948
SHA2564636a2600479e3134eea47c06b054306d4af62b4c9ea0063a2ad585fe272f9c0
SHA5125a8cf2a6130faf958c1a063605736d88d8370606fd273dac1c749917ab24902b07687531783efbcb9c00991fd3f891877df49a26a5051fcbc6c151f5a79ccb17
-
Filesize
7KB
MD5cc32499f2c535cff79374784bbdfeb0d
SHA1ba0554b92913651bcfa1bd3ae92ed054865c3c9f
SHA2561072e1c95aae2b09477e3586101e4eabf3342c2e58552d9bd52fa4a8214eb44d
SHA512f393562c86413215e7a196bfe951c6a8f228acbd082e01233e3f2d274cba1785b1a945e48cbc95fae6e5398807f5140c0f2ed9670188b70b67d196186dc9377d
-
Filesize
442KB
MD5f1588dee158c088ba14a31fc33c2939e
SHA10b776d41a6e048d8be953b73c12c09a4d22489b4
SHA256330443e86efd23fd22c62a1fb09b86e1caa94e017bab089a92fb41e28ae9ceac
SHA512262d9e39ddfc4438a74023659dc7b7ec1dddb547db46a1cef5aa92190905b870550689ecaa8ff9eb8794b6a231d8091dacad1ca0967771c947483e333e832f57