stealc | 615b666d7dbd523685e35a7bd7abb3d93f3cf82a9bc3374be0134be716a89080

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bc8639cc65bbaec9670c58fa27963a3.exe
Size

295KB
MD5

2bc8639cc65bbaec9670c58fa27963a3
SHA1

df2bb824f891d5739bc0e4ee35987eb9d6beb6f7
SHA256

615b666d7dbd523685e35a7bd7abb3d93f3cf82a9bc3374be0134be716a89080
SHA512

10af5b8e849126b005a246570bd2a71e4c2c973172c1d0564b24b01937a8426b2b6f29a712200d04005b9954fd4a082faa0f4a3996ddf6f7951fdb83cde93a0a
SSDEEP

6144:VrLjp+1xf5atcTdV8Gviyn49UKRF9u+diYp0va:VrXpIf4tcRViynAU1+0Yma

Score

10^/10

stealc discovery spyware stealer

Malware Config

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1760	uq0.0.exe
2092	uq0.1.exe

Loads dropped DLL 11 IoCs

pid	Process
936	2bc8639cc65bbaec9670c58fa27963a3.exe
936	2bc8639cc65bbaec9670c58fa27963a3.exe
936	2bc8639cc65bbaec9670c58fa27963a3.exe
936	2bc8639cc65bbaec9670c58fa27963a3.exe
936	2bc8639cc65bbaec9670c58fa27963a3.exe
936	2bc8639cc65bbaec9670c58fa27963a3.exe
936	2bc8639cc65bbaec9670c58fa27963a3.exe
936	2bc8639cc65bbaec9670c58fa27963a3.exe
936	2bc8639cc65bbaec9670c58fa27963a3.exe
1760	uq0.0.exe
1760	uq0.0.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 936	3032	2bc8639cc65bbaec9670c58fa27963a3.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	uq0.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	uq0.0.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2804	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3000	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1760	uq0.0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2092	uq0.1.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 936	3032	2bc8639cc65bbaec9670c58fa27963a3.exe	28
PID 3032 wrote to memory of 936	3032	2bc8639cc65bbaec9670c58fa27963a3.exe	28
PID 3032 wrote to memory of 936	3032	2bc8639cc65bbaec9670c58fa27963a3.exe	28
PID 3032 wrote to memory of 936	3032	2bc8639cc65bbaec9670c58fa27963a3.exe	28
PID 3032 wrote to memory of 936	3032	2bc8639cc65bbaec9670c58fa27963a3.exe	28
PID 3032 wrote to memory of 936	3032	2bc8639cc65bbaec9670c58fa27963a3.exe	28
PID 3032 wrote to memory of 936	3032	2bc8639cc65bbaec9670c58fa27963a3.exe	28
PID 3032 wrote to memory of 936	3032	2bc8639cc65bbaec9670c58fa27963a3.exe	28
PID 3032 wrote to memory of 936	3032	2bc8639cc65bbaec9670c58fa27963a3.exe	28
PID 3032 wrote to memory of 936	3032	2bc8639cc65bbaec9670c58fa27963a3.exe	28
PID 3032 wrote to memory of 936	3032	2bc8639cc65bbaec9670c58fa27963a3.exe	28
PID 936 wrote to memory of 1760	936	2bc8639cc65bbaec9670c58fa27963a3.exe	29
PID 936 wrote to memory of 1760	936	2bc8639cc65bbaec9670c58fa27963a3.exe	29
PID 936 wrote to memory of 1760	936	2bc8639cc65bbaec9670c58fa27963a3.exe	29
PID 936 wrote to memory of 1760	936	2bc8639cc65bbaec9670c58fa27963a3.exe	29
PID 936 wrote to memory of 2092	936	2bc8639cc65bbaec9670c58fa27963a3.exe	30
PID 936 wrote to memory of 2092	936	2bc8639cc65bbaec9670c58fa27963a3.exe	30
PID 936 wrote to memory of 2092	936	2bc8639cc65bbaec9670c58fa27963a3.exe	30
PID 936 wrote to memory of 2092	936	2bc8639cc65bbaec9670c58fa27963a3.exe	30
PID 2092 wrote to memory of 2664	2092	uq0.1.exe	34
PID 2092 wrote to memory of 2664	2092	uq0.1.exe	34
PID 2092 wrote to memory of 2664	2092	uq0.1.exe	34
PID 2092 wrote to memory of 2664	2092	uq0.1.exe	34
PID 2664 wrote to memory of 2772	2664	cmd.exe	32
PID 2664 wrote to memory of 2772	2664	cmd.exe	32
PID 2664 wrote to memory of 2772	2664	cmd.exe	32
PID 2664 wrote to memory of 2772	2664	cmd.exe	32
PID 2664 wrote to memory of 2804	2664	cmd.exe	35
PID 2664 wrote to memory of 2804	2664	cmd.exe	35
PID 2664 wrote to memory of 2804	2664	cmd.exe	35
PID 2664 wrote to memory of 2804	2664	cmd.exe	35
PID 1760 wrote to memory of 1996	1760	uq0.0.exe	38
PID 1760 wrote to memory of 1996	1760	uq0.0.exe	38
PID 1760 wrote to memory of 1996	1760	uq0.0.exe	38
PID 1760 wrote to memory of 1996	1760	uq0.0.exe	38
PID 1996 wrote to memory of 3000	1996	cmd.exe	36
PID 1996 wrote to memory of 3000	1996	cmd.exe	36
PID 1996 wrote to memory of 3000	1996	cmd.exe	36
PID 1996 wrote to memory of 3000	1996	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\2bc8639cc65bbaec9670c58fa27963a3.exe
"C:\Users\Admin\AppData\Local\Temp\2bc8639cc65bbaec9670c58fa27963a3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\2bc8639cc65bbaec9670c58fa27963a3.exe
  "C:\Users\Admin\AppData\Local\Temp\2bc8639cc65bbaec9670c58fa27963a3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Users\Admin\AppData\Local\Temp\uq0.0.exe
    "C:\Users\Admin\AppData\Local\Temp\uq0.0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\uq0.0.exe" & del "C:\ProgramData\*.dll"" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1996
- - C:\Users\Admin\AppData\Local\Temp\uq0.1.exe
    "C:\Users\Admin\AppData\Local\Temp\uq0.1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:2804

C:\Windows\SysWOW64\chcp.com
chcp 1251
1⤵
PID:2772

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
1⤵
- Delays execution with timeout.exe
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uq0.0.exe

Filesize
280KB

MD5
99c2e62feae17123dca56c12f4e2836e

SHA1
fdf0ba6754d03dbabe5a198ff645abc7e642c6a6

SHA256
995306aafe2d7e8dc1bf8e088b0370692333508b3eb1f59cb0344d169808e0ae

SHA512
1b0d2b86fdfb43b60ec807bcb4de10015fbfdae528ec9932e664a266f300c61afe4a9b5d4969d84c0ecc8eddf801568cff61e06d81c8f510ff14377e5f2f0014

Download Submit
C:\Users\Admin\AppData\Local\Temp\uq0.1.exe

Filesize
99KB

MD5
e05786a859a868660a78c46e90fc1d0d

SHA1
99c78a694b0fceaae2460cd2bda511eab447a287

SHA256
90301110a0608deb669717d3a4f47e3e865cd8b92045ee7ed78837a1d8434986

SHA512
85ca5acd472217a90baaf1fd72cea5e2177e59d4535f39445a37343046743f9deb55d9e44e973bd212297a7c533b8539c856c0c8d833caab87c2adb2d59bbfaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\uq0.1.exe

Filesize
106KB

MD5
f0a31d284c212abaebb9781cb990c63e

SHA1
2e8a7a5e59bebdcc0af2289e683f968154aa203e

SHA256
d0b49e15151baa658354433517d3612c5becba00fdba5438e4ceab4690a2860a

SHA512
711d77c9354b94c2b3b994988c59c254b9142981ce89b8c0dfd66305b12cd4ffdf665875887c8cc832b8dcdb5b15d9115a5f14b349628e82eac174e851ad438e

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
\ProgramData\mozglue.dll

Filesize
55KB

MD5
6673ca911e11b6858715854d597f78a9

SHA1
f1f2df987d10891eea68758f149637c90df3c1a8

SHA256
e99f5cd4bee4e59927909000a40cb5952047a2105959778377df81d7b820257f

SHA512
6e7d31cf3094c7b19654439e310ce4e55d79dba9c60ac117f3dc4fceecebb8c136f9bffecc02db992cc2e6e98dba9af37bd9a9ee9047bc3af05c04ed9e6137d6

Download Submit
\ProgramData\nss3.dll

Filesize
136KB

MD5
93de5c5266293f8632ade2f1fe8a6aba

SHA1
08f0b94866cce33aa2fffcb1633f9b1e8a7466cc

SHA256
bd4bac192b10a0c753ac8bc0c29493874a7290bddd744d70f0c59bb4a7519b75

SHA512
bd694241804c1ed43ebbbfa3d0728dc9c41444137149bf7e6281eb50d1ab2ee7285fe5ec470ad3a49b7c8833caba44963cca6da66f86a13fec18e9ba370d9784

Download Submit
\Users\Admin\AppData\Local\Temp\uq0.0.exe

Filesize
336KB

MD5
e237fdcba5d16c232655e2df8a9149ee

SHA1
74922bea56c72af362ae74164049a60356cd2d92

SHA256
f806666096ff034305a3610d4a209de5fc8f2c95cb9fb4d396ce04dd663c0fec

SHA512
b6e033cae499a54b0ee443f1f45b9bd78a7a719ad7a4e7cf3bbd989e039da8d1739b252d02b6fe519898a8476efc7d455611134c7e3ad367751f1795da57e19b

Download Submit
\Users\Admin\AppData\Local\Temp\uq0.1.exe

Filesize
161KB

MD5
acc80c158a90cc0967af63a99c2a72eb

SHA1
418789012b38d3335e7f731602fed193cff5c8ed

SHA256
6eb8b1958ae73e1bba5d63ef6fcbc431a000d60b2a15126513ee2f2620cba4a5

SHA512
06d71f6cbf1c5d1ca88002fa06a53bbbb614e01fbead81f28c1a58dd6c878e20ca1bd6d375b33bf4b680ebe488ca3397797df072add21ea31c4131ff5b43a7bd

Download Submit
\Users\Admin\AppData\Local\Temp\uq0.1.exe

Filesize
160KB

MD5
f562edf75bf595d7f0089c903ef965db

SHA1
c5c27678cb41f1f0f948521a1c8a38db498c01f0

SHA256
b4b4629fe045f9aa9f914330d9b35871c307052daa502bb8a47665884d43d4fd

SHA512
3cf0ea33e55ae5cb501b9d1792adc798216524dc94f08129d204b3288e024279897295a27c7cf362b8f9e5a1249069d965e6d3bbc9b6c5d7dfa07ce61acc3dd4

Download Submit
\Users\Admin\AppData\Local\Temp\uq0.1.exe

Filesize
116KB

MD5
0e6bb3011f8e75ca46855447166d421f

SHA1
c7d1a189f644f14069d4e1ae904692f9bf744871

SHA256
76e44e2184100bef495fdd4b8eca1fc3487b28c330decf722f89b5fb42edc5d0

SHA512
e59d4d0e1dfcb47586a3be99e66bd0a559db51b3f319bdde08250453636c6e8d9b5e37cd85c66273b59fc4e4ce49da72a1299e0d88bcb23aa319db0bb39c6620

Download Submit
\Users\Admin\AppData\Local\Temp\uq0.1.exe

Filesize
96KB

MD5
0a7bc35afce4ffdfee7b695d7ecf29fb

SHA1
d1ebe467376ebeac7e061fe7da03d527ff8e6d10

SHA256
513cb972259fc16ecbafb12a47a6a4083dcdc10329b2c3ee0ae58c3a8a5eb77a

SHA512
d13ea2195298398f862fa7e7787397c5a9baef14553e053d46e9aa334d20128fca6d89fb74a79444e1154c4b0280a5f5af38cbffe3c134917d8ad61fcb0a00d7

Download Submit
memory/936-8-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/936-44-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/936-5-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/936-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/936-7-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1760-28-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/1760-47-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1760-29-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1760-27-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1760-115-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1760-116-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1760-117-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/2092-46-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2092-118-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2092-121-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3032-1-0x0000000002CD0000-0x0000000002DD0000-memory.dmp

Filesize
1024KB

Download
memory/3032-4-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download