stealthworker | 0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240215-en
submitted
06/03/2024, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

win.exe
Size

6.8MB
MD5

0721b1d0c9c68c18116273f2c293ff21
SHA1

dac53205b4ba718542138d90eb56f1641f5807b8
SHA256

0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4
SHA512

012ee21fa04e7e361d4565ba81cc8ba256fb48a75cc93c5c6ea1f77f1e69adc3a5c14275dfe358e72b6f41dd67d174c0bbb4ca26d39f9c08168ccbb9d06d3ba9
SSDEEP

49152:k92mic7iMnbPvRUAm+ugRkqjR7Q8TOc5KubExvCsNGEgveIXB4IuBNT/IeswF69B:BmP7i+Rf0es5u2BNTAcSE8wIX

Score

10^/10

stealthworker botnet discovery

Malware Config

Signatures

StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker
Stealthworker family
stealthworker
Contacts a large (4866) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2664	2220	win.exe	28
PID 2220 wrote to memory of 2664	2220	win.exe	28
PID 2220 wrote to memory of 2664	2220	win.exe	28
PID 2220 wrote to memory of 2664	2220	win.exe	28

C:\Users\Admin\AppData\Local\Temp\win.exe
"C:\Users\Admin\AppData\Local\Temp\win.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\cmd.exe
  cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s.bat

Filesize
262B

MD5
dace4cfc41d54279f64553161c75d806

SHA1
d39661eb638c9a278352de505e26e7b044cc8a02

SHA256
ba823dd59d178cf2f905e66fde280f8e23feb0eb1e85d281a99ff487f8f01c37

SHA512
512e9a434d5a0af2205531dd796ea6d61a37f006261dc4f52d2911672f7222aa76dcc2cddb65b0fa40fb63e9d04ab0608812fa7b5351505c3e30227441ee23ef

Download Submit