Overview

overview

10

Static

static

7

e46c03168b...77.exe

windows7-x64

10

e46c03168b...77.exe

windows10-2004-x64

10

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

$TEMP/BroomSetup.exe

windows7-x64

7

$TEMP/BroomSetup.exe

windows10-2004-x64

7

$TEMP/syncUpd.exe

windows7-x64

10

$TEMP/syncUpd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    192s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-03-2024 23:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMP/syncUpd.exe

  • Size

    200KB

  • MD5

    c722591f624fb69970f246b8c81d830f

  • SHA1

    85516decea5d6987bebe39cbadf36053beaf4bb0

  • SHA256

    13cd1152a19fdac6581cac2bd822f34bd3026ea1783ff231e299b6d28c046a6a

  • SHA512

    822584c5c8a0813af4d845e80919776c71a43464ab719d1c303ebaae6a8ed47763183566bedc9be2e8c44de8ee6fd62d1e12be471e5d5c73ae4b1dcdaa34a908

  • SSDEEP

    3072:8PDOu5suCmavnBRsuP6GTdbB27zP6FtHPUxX1GOL3+:455zaPBRPPj27uPH8jzu

Score
10/10
stealcdiscoveryspywarestealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.145

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\syncUpd.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\syncUpd.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:464
      • C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe
        "C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe"
        3⤵
        • Executes dropped EXE
        PID:3272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Are.docx
    Filesize

    11KB

    MD5

    a33e5b189842c5867f46566bdbf7a095

    SHA1

    e1c06359f6a76da90d19e8fd95e79c832edb3196

    SHA256

    5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

    SHA512

    f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

    Download Submit

  • C:\ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit

  • C:\ProgramData\nss3.dll
    Filesize

    901KB

    MD5

    73936ab55e46d10e15293acebe1e198f

    SHA1

    b4ad927fb8e16877b8762959f8611301e5debb53

    SHA256

    0279916e17c7dd8d2fbce200e535f697a9aff522496bed18672d8438ffee682d

    SHA512

    54ffaaaf719352c195b71c18cf9159bafc7ef1d31b5862d4c9089643b82d02d0a1c3d18741d225419ddc751787041ed342657ba4a038441afae81677f140a964

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe
    Filesize

    101KB

    MD5

    42b838cf8bdf67400525e128d917f6e0

    SHA1

    a578f6faec738912dba8c41e7abe1502c46d0cae

    SHA256

    0e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d

    SHA512

    f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0

    Download Submit

  • memory/2848-62-0x0000000000400000-0x000000000063B000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2848-80-0x0000000000400000-0x000000000063B000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2848-29-0x0000000000680000-0x00000000006A7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2848-41-0x0000000000400000-0x000000000063B000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2848-48-0x0000000000400000-0x000000000063B000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2848-58-0x0000000000400000-0x000000000063B000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2848-1-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2848-6-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/2848-4-0x0000000000400000-0x000000000063B000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2848-27-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2848-84-0x0000000000400000-0x000000000063B000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2848-96-0x0000000000400000-0x000000000063B000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2848-3-0x0000000000400000-0x000000000063B000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2848-106-0x0000000000400000-0x000000000063B000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2848-2-0x0000000000680000-0x00000000006A7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/3272-110-0x00000000009F0000-0x0000000000A0E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3272-111-0x0000000074BD0000-0x0000000075380000-memory.dmp

    Filesize

    7.7MB

    Download