Overview

overview

10

Static

static

7

e4c88ef88c...aa.exe

windows7-x64

10

e4c88ef88c...aa.exe

windows10-2004-x64

10

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

$TEMP/BroomSetup.exe

windows7-x64

7

$TEMP/BroomSetup.exe

windows10-2004-x64

7

$TEMP/syncUpd.exe

windows7-x64

10

$TEMP/syncUpd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e4c88ef88cd0bae896c2e49f692d29e992f6fd261c8f7aaf96fadde55de6cdaa

  • Size

    2.0MB

  • Sample

    240312-2mz51seg84

  • MD5

    82d5fd8413dea6b318ac98e597b2f9f6

  • SHA1

    de8a5b67bba558d434e7edb463f9b6ee42e56394

  • SHA256

    e4c88ef88cd0bae896c2e49f692d29e992f6fd261c8f7aaf96fadde55de6cdaa

  • SHA512

    ca852b01bc26dffaf94b7ee3532784dc33cb29ef67affdb4cb58b3b6b64c36dacfd8e1f046fe1430386e5b7046310102826033b78c1a20f736b0787091866b0d

  • SSDEEP

    49152:LCZ9FbqoVBbFeSNU1ux1XRJcuO+U9QGu5E4M90eSZqBraOZkS:2Z9AoVLm3paGhd9uWraOZz

Score
10/10
stealcdiscoverypersistencespywarestealerupx

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.145

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      e4c88ef88cd0bae896c2e49f692d29e992f6fd261c8f7aaf96fadde55de6cdaa

    • Size

      2.0MB

    • MD5

      82d5fd8413dea6b318ac98e597b2f9f6

    • SHA1

      de8a5b67bba558d434e7edb463f9b6ee42e56394

    • SHA256

      e4c88ef88cd0bae896c2e49f692d29e992f6fd261c8f7aaf96fadde55de6cdaa

    • SHA512

      ca852b01bc26dffaf94b7ee3532784dc33cb29ef67affdb4cb58b3b6b64c36dacfd8e1f046fe1430386e5b7046310102826033b78c1a20f736b0787091866b0d

    • SSDEEP

      49152:LCZ9FbqoVBbFeSNU1ux1XRJcuO+U9QGu5E4M90eSZqBraOZkS:2Z9AoVLm3paGhd9uWraOZz

    Score
    10/10
    stealcdiscoverypersistencespywarestealerupx

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      $PLUGINSDIR/INetC.dll

    • Size

      21KB

    • MD5

      2b342079303895c50af8040a91f30f71

    • SHA1

      b11335e1cb8356d9c337cb89fe81d669a69de17e

    • SHA256

      2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

    • SHA512

      550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

    • SSDEEP

      384:KOoVVefeWsI7rsIquPLNN546o0Ac9khYLMkIX0+Gzyekv:4VVaeE7wIqyJN5i

    Score
    3/10
    behavioral3behavioral4

    • Target

      $TEMP/BroomSetup.exe

    • Size

      1.7MB

    • MD5

      eee5ddcffbed16222cac0a1b4e2e466e

    • SHA1

      28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

    • SHA256

      2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

    • SHA512

      8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

    • SSDEEP

      49152:YUnaQiKJ8N+AadA6mICFhNGffVCPi9NUko6jE:ZwKa+u6mICFSwPKDK

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5behavioral6

    • Target

      $TEMP/syncUpd.exe

    • Size

      200KB

    • MD5

      c722591f624fb69970f246b8c81d830f

    • SHA1

      85516decea5d6987bebe39cbadf36053beaf4bb0

    • SHA256

      13cd1152a19fdac6581cac2bd822f34bd3026ea1783ff231e299b6d28c046a6a

    • SHA512

      822584c5c8a0813af4d845e80919776c71a43464ab719d1c303ebaae6a8ed47763183566bedc9be2e8c44de8ee6fd62d1e12be471e5d5c73ae4b1dcdaa34a908

    • SSDEEP

      3072:8PDOu5suCmavnBRsuP6GTdbB27zP6FtHPUxX1GOL3+:455zaPBRPPj27uPH8jzu

    Score
    10/10
    stealcdiscoveryspywarestealerpersistence

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

2
T1053

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

2
T1053

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

2
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

6
T1552

Credentials In Files

6
T1552.001

Discovery

Query Registry

6
T1012

System Information Discovery

7
T1082

Remote System Discovery

2
T1018

Lateral Movement

Collection

Data from Local System

6
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks