Analysis

  • max time kernel
    190s
  • max time network
    294s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04-02-2024 07:37

General

  • Target

    3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe

  • Size

    175KB

  • MD5

    2ff6ee1ef4ea7c63588e3c904e066cf4

  • SHA1

    85a5d659cdcdd358af7320a39dd129601b9e8c41

  • SHA256

    3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30

  • SHA512

    5d00ea2bbe6384e6f4375210f485b80e8109e4c578775d146423696ce8e6b4beac93d240df329ad443f0b03d13ec46cfdd06e80d52946f662263169fffdb6713

  • SSDEEP

    3072:NwLDaY5OIQfqCanVKeZccMBt1n/W77i5ftMwQx6TN45:uLDf5Yo3ZccMB3nAwQ7

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.24

Attributes
  • url_path

    /40d570f44e84a454.php

rc4.plain

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

  • Stealc

    Stealc is an infostealer written in C++.

  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe
    "C:\Users\Admin\AppData\Local\Temp\3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:428
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe" & del "C:\ProgramData\*.dll"" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2232
  • C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    1⤵
    • Delays execution with timeout.exe
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Are.docx

    Filesize

    11KB

    MD5

    a33e5b189842c5867f46566bdbf7a095

    SHA1

    e1c06359f6a76da90d19e8fd95e79c832edb3196

    SHA256

    5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

    SHA512

    f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

  • C:\ProgramData\mozglue.dll

    Filesize

    150KB

    MD5

    e2200df51b2a1c28a3174e4f9dfe487b

    SHA1

    73e9339f187c22cff92e699fbc9d1e9d761ee80f

    SHA256

    91c93fe1a0e521092f635da8438fceeed83c6f1e4bd6e6e839069b165e12f08a

    SHA512

    3175946f88d4bb769af14fb64e21f27d8f13ece47c8c79680c748303467f9cb3db669912cb0b15276ba88939e22e001b28a5192c3d39ace9345f735ec779e9ff

  • \ProgramData\mozglue.dll

    Filesize

    110KB

    MD5

    4433da2077d975207f170d052c6fe2d5

    SHA1

    dbbd21953017fb6e1ab50b0d8c1bb241b5c4cf7a

    SHA256

    295d37b1e05d90337f1d95e69ccf7c17a5bf62481cd720cffd088e8f9620ffea

    SHA512

    878a5d05fcf4b1e7446764dbedc5be58ce831557e11aa55399f7cae8e6d166c8627babcf85a434d0dab8594772c6629f90d0c305f12238add318f8c09d0af984

  • \ProgramData\nss3.dll

    Filesize

    98KB

    MD5

    ea17bdbc1d962080975e82f5a805f53a

    SHA1

    3bbcfca796ded835bf7807f495a19ebd94ceccc4

    SHA256

    ee3457d1021ac42f683efd824792dcbbc077726835f75f6adfe70f6a0797be76

    SHA512

    75de4d75ff95eeb6f02d34d3e9d86da3c983e1186d202540a6a06d9a97f005db11a378cd761068be247094998ae978719307d33bc3ba4cff2a7c75b94b8f0ecd

  • memory/428-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB

  • memory/428-42-0x0000000000400000-0x000000000062E000-memory.dmp

    Filesize

    2.2MB

  • memory/428-2-0x0000000002210000-0x000000000222C000-memory.dmp

    Filesize

    112KB

  • memory/428-3-0x0000000000400000-0x000000000062E000-memory.dmp

    Filesize

    2.2MB

  • memory/428-70-0x0000000000400000-0x000000000062E000-memory.dmp

    Filesize

    2.2MB

  • memory/428-75-0x0000000000870000-0x0000000000970000-memory.dmp

    Filesize

    1024KB

  • memory/428-76-0x0000000000400000-0x000000000062E000-memory.dmp

    Filesize

    2.2MB

  • memory/428-1-0x0000000000870000-0x0000000000970000-memory.dmp

    Filesize

    1024KB

  • memory/428-82-0x0000000000400000-0x000000000062E000-memory.dmp

    Filesize

    2.2MB