Overview

overview

10

Static

static

10

Creal-Stea...er.bat

windows7-x64

1

Creal-Stea...er.bat

windows10-2004-x64

1

Creal-Stea...er.pyw

windows7-x64

3

Creal-Stea...er.pyw

windows10-2004-x64

6

Creal-Stea...eal.py

windows7-x64

3

Creal-Stea...eal.py

windows10-2004-x64

3

Creal-Stea...ll.bat

windows7-x64

1

Creal-Stea...ll.bat

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-02-2024 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Creal-Stealer-main/creal.py

  • Size

    56KB

  • MD5

    5b6c9e120ec540ba7f4ae0583cf2516d

  • SHA1

    371ec01bee3ebde3db87a48a66fd414237a52a8e

  • SHA256

    d2f58e2b23fcf0cad401b79ffce450671ec8cc8c4030ceb19021511da7419c93

  • SHA512

    5af377c0b6b9d7891c49d2203b1978da4d3351d0b9af4c90f71f01a70a1eea89e4c93c0737a2f5c4b1248bcd086d829079a1b969c71b55070346875b37c36fd5

  • SSDEEP

    768:QmWsYvpkylnnXeihOCS9DtiXLCezzj/VckjTPJPirqWR:QLnhhFS9Dt6LvLVdjTJWR

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Creal-Stealer-main\creal.py
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Creal-Stealer-main\creal.py
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Creal-Stealer-main\creal.py"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    20f8e95fe279525aab6071cc865284b5

    SHA1

    bbce4e7fd6b50108ccb8d9306bfbaf253e1b3ba9

    SHA256

    5e4e4a609cae4af99d7986371cfd794f48b260e04a835fbccd5467a8c0656ae9

    SHA512

    ac7a8ca90c8d679452b9e2f392eebe21241e43f4cd3aaceb56e9bcbe295659d1dc04abea84f737425377971bcb5ddb6aae8ef5dcb942648a95601595f431e1fb

    Download Submit