330443e86efd23fd22c62a1fb09b86e1caa94e017bab089a92fb41e28ae9ceac

Analysis

max time kernel
116s
max time network
133s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
19/02/2024, 20:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Creal-Stealer-main/README.md
Size

3KB
MD5

a98951f34afe913512beaa3bc829711f
SHA1

5bd8ad0581bb526cf9fb53b2fb5675bc2648513e
SHA256

055f3a6321629a4a6519e5c10c82ca5ceb132ee5a012baedfa1b8531782190ff
SHA512

041c6e0a731d755d398c4c254691ac75abb34c345fd37dcc85e74de35c75a0996e31e5c0bc05b7f5aa29881e148bc6b6ea14ce041521a38b586796e485856dbd

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-176679640-153325197-3537295364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-176679640-153325197-3537295364-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
732	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Creal-Stealer-main\README.md
1⤵
- Modifies registry class
PID:2332

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:732

Network

DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

ocsp.digicert.com

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
DNS

arc.msn.com

Remote address:

8.8.8.8:53

Request

arc.msn.com

IN A

Response

arc.msn.com

IN CNAME

arc.trafficmanager.net

arc.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-frc-b.francecentral.cloudapp.azure.com

iris-de-prod-azsc-v2-frc-b.francecentral.cloudapp.azure.com

IN A

20.74.47.205
DNS

175.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

175.178.17.96.in-addr.arpa

IN PTR

Response

175.178.17.96.in-addr.arpa

IN PTR

a96-17-178-175deploystaticakamaitechnologiescom
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.236.23
DNS

176.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

176.178.17.96.in-addr.arpa

IN PTR

Response

176.178.17.96.in-addr.arpa

IN PTR

a96-17-178-176deploystaticakamaitechnologiescom
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

wu-bg-shim.trafficmanager.net

wu-bg-shim.trafficmanager.net

IN CNAME

download.windowsupdate.com.edgesuite.net

download.windowsupdate.com.edgesuite.net

IN CNAME

a767.dspw65.akamai.net

a767.dspw65.akamai.net

IN A

96.17.178.175

a767.dspw65.akamai.net

IN A

96.17.178.177

a767.dspw65.akamai.net

IN A

96.17.178.173

a767.dspw65.akamai.net

IN A

96.17.178.176

a767.dspw65.akamai.net

IN A

96.17.178.188

a767.dspw65.akamai.net

IN A

96.17.178.189

a767.dspw65.akamai.net

IN A

96.17.178.174

a767.dspw65.akamai.net

IN A

96.17.178.193

a767.dspw65.akamai.net

IN A

96.17.178.195
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response

204.79.197.200:443

tse1.mm.bing.net

tls

1.6kB
8.5kB
18
16
204.79.197.200:443

tse1.mm.bing.net

tls

1.7kB
8.4kB
18
15
204.79.197.200:443

tse1.mm.bing.net

tls

81.5kB
2.4MB
1720
1720
204.79.197.200:443

tse1.mm.bing.net

tls

1.7kB
9.0kB
19
17
204.79.197.200:443

tse1.mm.bing.net

tls

1.6kB
8.5kB
18
16

8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

339 B
782 B
5
5

DNS Request

76.32.126.40.in-addr.arpa

DNS Request

ocsp.digicert.com

DNS Response

192.229.221.95

DNS Request

arc.msn.com

DNS Response

20.74.47.205

DNS Request

175.178.17.96.in-addr.arpa

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.236.23
8.8.8.8:53

176.178.17.96.in-addr.arpa

dns

357 B
898 B
5
5

DNS Request

176.178.17.96.in-addr.arpa

DNS Request

88.156.103.20.in-addr.arpa

DNS Request

200.197.79.204.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

96.17.178.175

96.17.178.177

96.17.178.173

96.17.178.176

96.17.178.188

96.17.178.189

96.17.178.174

96.17.178.193

96.17.178.195

DNS Request

26.35.223.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.