Overview

overview

10

Static

static

10

0fb249f0b6...82.exe

windows7-x64

10

0fb249f0b6...82.exe

windows10-2004-x64

10

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

$TEMP/BroomSetup.exe

windows7-x64

9

$TEMP/BroomSetup.exe

windows10-2004-x64

9

$TEMP/syncUpd.exe

windows7-x64

10

$TEMP/syncUpd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0fb249f0b6ea12a9a7e101f8e92cb6708b2c0fbf9de2ce0e88be4d84bf9b3482.exe

  • Size

    1.7MB

  • Sample

    240312-cjpgnsda7w

  • MD5

    d2a38a71e3577e4fbb4185b4ee935376

  • SHA1

    77d2ddc8fe67a720b75fd4027d143018f8c08791

  • SHA256

    0fb249f0b6ea12a9a7e101f8e92cb6708b2c0fbf9de2ce0e88be4d84bf9b3482

  • SHA512

    3a8dd6797dda6732fff10f02951d940a41e9f3b435ce74dfa266c91c585245a16012f4925bf909932ad03bf7aa6098e4a4d09f1e39a9091541e7793f22c57529

  • SSDEEP

    49152:J60SmMKCWrpP2g/NXrHTvOy3YuaqaI0THZqNPbmvrKLlDqKz:40sKCEPLRrHTG0aq6ZZklDXz

Score
10/10
stealcdiscoveryspywarestealerupx

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.145

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      0fb249f0b6ea12a9a7e101f8e92cb6708b2c0fbf9de2ce0e88be4d84bf9b3482.exe

    • Size

      1.7MB

    • MD5

      d2a38a71e3577e4fbb4185b4ee935376

    • SHA1

      77d2ddc8fe67a720b75fd4027d143018f8c08791

    • SHA256

      0fb249f0b6ea12a9a7e101f8e92cb6708b2c0fbf9de2ce0e88be4d84bf9b3482

    • SHA512

      3a8dd6797dda6732fff10f02951d940a41e9f3b435ce74dfa266c91c585245a16012f4925bf909932ad03bf7aa6098e4a4d09f1e39a9091541e7793f22c57529

    • SSDEEP

      49152:J60SmMKCWrpP2g/NXrHTvOy3YuaqaI0THZqNPbmvrKLlDqKz:40sKCEPLRrHTG0aq6ZZklDXz

    Score
    10/10
    stealcdiscoveryspywarestealerupx

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • UPX dump on OEP (original entry point)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      $PLUGINSDIR/INetC.dll

    • Size

      21KB

    • MD5

      2b342079303895c50af8040a91f30f71

    • SHA1

      b11335e1cb8356d9c337cb89fe81d669a69de17e

    • SHA256

      2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

    • SHA512

      550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

    • SSDEEP

      384:KOoVVefeWsI7rsIquPLNN546o0Ac9khYLMkIX0+Gzyekv:4VVaeE7wIqyJN5i

    Score
    3/10
    behavioral3behavioral4

    • Target

      $TEMP/BroomSetup.exe

    • Size

      1.7MB

    • MD5

      eee5ddcffbed16222cac0a1b4e2e466e

    • SHA1

      28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

    • SHA256

      2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

    • SHA512

      8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

    • SSDEEP

      49152:YUnaQiKJ8N+AadA6mICFhNGffVCPi9NUko6jE:ZwKa+u6mICFSwPKDK

    Score
    9/10
    upx

    • UPX dump on OEP (original entry point)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5behavioral6

    • Target

      $TEMP/syncUpd.exe

    • Size

      282KB

    • MD5

      54e0220b6f9b4f8f64382b71c6033595

    • SHA1

      1f599189588a7a174a6b8a4587ae0df5c15bdd6f

    • SHA256

      47bccced008024236587fbe59d8419a52888f7b50b01cc6c7dc92101a0885607

    • SHA512

      0c4e27554ee5a090f8e8e1fa0b901cc5cc90fb6f1a3fb68c4a991096d8ea53a07e452d1ad119b046107deffe34173b21a5ff2f0062b98ae9b23945ea05ad8708

    • SSDEEP

      3072:h+yppW19jNp4lE4XPx8eHoqKediatEpPbqz8s93GNeL8MOi9P4m8Z:h5m1VN+eImmrdiaAezP8eQtE4h

    Score
    10/10
    stealcdiscoveryspywarestealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks