stealthworker | 0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
submitted
06/03/2024, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0721b1d0c9c68c18116273f2c293ff21.exe
Size

6.8MB
MD5

0721b1d0c9c68c18116273f2c293ff21
SHA1

dac53205b4ba718542138d90eb56f1641f5807b8
SHA256

0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4
SHA512

012ee21fa04e7e361d4565ba81cc8ba256fb48a75cc93c5c6ea1f77f1e69adc3a5c14275dfe358e72b6f41dd67d174c0bbb4ca26d39f9c08168ccbb9d06d3ba9
SSDEEP

49152:k92mic7iMnbPvRUAm+ugRkqjR7Q8TOc5KubExvCsNGEgveIXB4IuBNT/IeswF69B:BmP7i+Rf0es5u2BNTAcSE8wIX

Score

10^/10

stealthworker botnet discovery

Malware Config

Signatures

StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker
Stealthworker family
stealthworker

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0721b1d0c9c68c18116273f2c293ff21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 4196	4672	0721b1d0c9c68c18116273f2c293ff21.exe	87
PID 4672 wrote to memory of 4196	4672	0721b1d0c9c68c18116273f2c293ff21.exe	87
PID 4672 wrote to memory of 4196	4672	0721b1d0c9c68c18116273f2c293ff21.exe	87

C:\Users\Admin\AppData\Local\Temp\0721b1d0c9c68c18116273f2c293ff21.exe
"C:\Users\Admin\AppData\Local\Temp\0721b1d0c9c68c18116273f2c293ff21.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\SysWOW64\cmd.exe
  cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s.bat

Filesize
291B

MD5
82a4740ef41f60eb05b3ebd037e4529d

SHA1
6a26933d344efb5961e5b917bba7a1bf38d06daa

SHA256
2ac5966d146663ec8ff7789e9e955fc76c4ae5fdaef9db826e931ed5820c160b

SHA512
1ea3c6a879dd4f81b1b93b47dfe7555d0ed63ebec39c0a8ba3bc2eac71714783cdc16d214fa9719d81e97188b77fe208794bae231b1c00dc792fee210f820b61

Download Submit