stealc | 0d124edbaa3ae482812d236f4ed05b094085949a794d69b0bebc679b4a011720

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

3.0MB
MD5

88d8a1aa36d48e28d506abe4fa3e7322
SHA1

03385cdb977d1e7effbe5f9c1712b723778d3ea7
SHA256

0d124edbaa3ae482812d236f4ed05b094085949a794d69b0bebc679b4a011720
SHA512

3674f482ef11b359f0969476b0b3ca017689a8ba39b91bf99b8751d5f8cc5e8a1077a81cff9cdb268746f39000ab5976f3adb1166f9b34f9c32c3ffdc1a06491
SSDEEP

12288:XNzcTCPYV/oVQ+mJkP5isjJyhKxE5n9g8FYE2gXqi:XNzcTUYV3J25iDl9VYE2Mqi

Score

10^/10

stealc discovery spyware stealer

Malware Config

Extracted

Family

stealc

http://94.156.8.100

Attributes

url_path
/5dce321003e6a6b5.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2532	Answers.pif

Loads dropped DLL 3 IoCs

pid	Process
2996	cmd.exe
2532	Answers.pif
2532	Answers.pif

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Answers.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Answers.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2148	tasklist.exe
2964	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2660	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2532	Answers.pif
2532	Answers.pif
2532	Answers.pif
2532	Answers.pif
2532	Answers.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	tasklist.exe
Token: SeDebugPrivilege	2964	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2532	Answers.pif
2532	Answers.pif
2532	Answers.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2532	Answers.pif
2532	Answers.pif
2532	Answers.pif

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2996	1688	file.exe	28
PID 1688 wrote to memory of 2996	1688	file.exe	28
PID 1688 wrote to memory of 2996	1688	file.exe	28
PID 1688 wrote to memory of 2996	1688	file.exe	28
PID 2996 wrote to memory of 2148	2996	cmd.exe	30
PID 2996 wrote to memory of 2148	2996	cmd.exe	30
PID 2996 wrote to memory of 2148	2996	cmd.exe	30
PID 2996 wrote to memory of 2148	2996	cmd.exe	30
PID 2996 wrote to memory of 2608	2996	cmd.exe	31
PID 2996 wrote to memory of 2608	2996	cmd.exe	31
PID 2996 wrote to memory of 2608	2996	cmd.exe	31
PID 2996 wrote to memory of 2608	2996	cmd.exe	31
PID 2996 wrote to memory of 2964	2996	cmd.exe	33
PID 2996 wrote to memory of 2964	2996	cmd.exe	33
PID 2996 wrote to memory of 2964	2996	cmd.exe	33
PID 2996 wrote to memory of 2964	2996	cmd.exe	33
PID 2996 wrote to memory of 2672	2996	cmd.exe	34
PID 2996 wrote to memory of 2672	2996	cmd.exe	34
PID 2996 wrote to memory of 2672	2996	cmd.exe	34
PID 2996 wrote to memory of 2672	2996	cmd.exe	34
PID 2996 wrote to memory of 2400	2996	cmd.exe	35
PID 2996 wrote to memory of 2400	2996	cmd.exe	35
PID 2996 wrote to memory of 2400	2996	cmd.exe	35
PID 2996 wrote to memory of 2400	2996	cmd.exe	35
PID 2996 wrote to memory of 2776	2996	cmd.exe	36
PID 2996 wrote to memory of 2776	2996	cmd.exe	36
PID 2996 wrote to memory of 2776	2996	cmd.exe	36
PID 2996 wrote to memory of 2776	2996	cmd.exe	36
PID 2996 wrote to memory of 2500	2996	cmd.exe	37
PID 2996 wrote to memory of 2500	2996	cmd.exe	37
PID 2996 wrote to memory of 2500	2996	cmd.exe	37
PID 2996 wrote to memory of 2500	2996	cmd.exe	37
PID 2996 wrote to memory of 2532	2996	cmd.exe	38
PID 2996 wrote to memory of 2532	2996	cmd.exe	38
PID 2996 wrote to memory of 2532	2996	cmd.exe	38
PID 2996 wrote to memory of 2532	2996	cmd.exe	38
PID 2996 wrote to memory of 2660	2996	cmd.exe	39
PID 2996 wrote to memory of 2660	2996	cmd.exe	39
PID 2996 wrote to memory of 2660	2996	cmd.exe	39
PID 2996 wrote to memory of 2660	2996	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Op Op.bat & Op.bat & exit
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 28977
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 28977\Answers.pif + Regarding + Devoted + Litigation + Quebec + Bird 28977\Answers.pif
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Tired + Theoretical 28977\x
    3⤵
    PID:2500
- - C:\Users\Admin\AppData\Local\Temp\28977\Answers.pif
    28977\Answers.pif 28977\x
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2532
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\28977\Answers.pif

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\28977\x

Filesize
452KB

MD5
7a6280fecb35049852f0621b2fe68056

SHA1
52061818e4cba5519ccd3df0c2b8f00a268b1dd8

SHA256
f45dad331d7325f61a639c35109c3dff0f143cf90df8bc9d0e1781cd1dfc95c5

SHA512
7e51018ae5f6b2c5baf5f5bba958bebbfc7bc312e8a9ce841034190fa59bb7ab453f31d4fc4e18ab6515e551da387708bf0afe86dff9ee1e1bdaf3b4ee3abd6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bird

Filesize
120KB

MD5
836c07851339002f98303a5c891e4eac

SHA1
cc45751b8f91cdb1472356f2aaddd47febbaf727

SHA256
a978ac3f2032fdf4d049d96625f0e2b87aef3423833180639066026ee7868ed8

SHA512
3453d2f08142d28feef6fb0515b5651cd7ddfd28bfc027f136a7ace391b2670957211b1dee87b6350ce5ef764f9b924efac75a89372d7cbc4884ad61b7063fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Devoted

Filesize
293KB

MD5
c9f80abd4f16771bd3737db863e23dcb

SHA1
46ae0172a2b91b1d803f8b6c4467f5cc77ea14af

SHA256
93a6b75ddcce2cff5408143cf7401fbf72997b1c2328067af24b57d2c27dbe7f

SHA512
839a7a1566bfdf7b3745fb8da07920931f08ff94506be181a20949502341e3b639aa17761a83d1a5507ff6f13f9c2953475571c510726f785a0a128a9d016ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Litigation

Filesize
120KB

MD5
5c6fdfbeb0c825491d3750f554c17d34

SHA1
d268ac6a38ebcedc44ec26cbed4b6e01d579a94f

SHA256
8fdaff9449b777736fb29f83c0b1487301edf35dc7587fa21deff33b53653f2c

SHA512
0166394fdd4546528e53053c4b98c3e3bb55d86e4c8ed16ae31159d14bd7c5118cfcee9f664342bd46e5e915ece9ad7c98dfee488edbe2afee18521dc8fc066f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Op

Filesize
14KB

MD5
d580ec11b3e6507e19206ba4bf57c694

SHA1
b992c3641f6912a79070f28702a9962e8940ce00

SHA256
b12b66aa2cc0cf0751dd60b3eb561599eff3d18fbb355a5798671990ad631f09

SHA512
73f4dcce72a04db7380f9842fbe7047ba9cecaaf5efd7c19863806eba584ffe37df928e95dfbeeadc4c46b775e9ff57de293d5c8c88b3c3df5caf7a87b127606

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quebec

Filesize
228KB

MD5
d39006f287c262cb1c3b967980eb486e

SHA1
b95d53eadee9e6dbae4a0cabe2142c95d6682d43

SHA256
cfc2640eb5a5540551eb0f98d2401b2aa1cf2f0832f08467b63c990b81e3e072

SHA512
e8e6260d250ee7ca2cc0de27f21f66591bc4070c70483caf6aee216aebf7b9529eb109ec829e2b771f0a9796305dce57b01e49e7b370082bb400313c25b5f184

Download Submit
C:\Users\Admin\AppData\Local\Temp\Regarding

Filesize
111KB

MD5
76e943c61037c4ddf03ec734829a59ee

SHA1
12a74a7d38b08e696feb23e355d478721dd428d0

SHA256
4bd083555dac351a8fc53221fedad1b4b86bdd098f499668ed508b336d42ec32

SHA512
e7a78675e3cd4b3463ec0da05fe842c9acfc6c377f0e61e69227d34da31102e99d89e393f8eb5f12752ec888d1cc1de052a38b6373d94d677053297b839c4190

Download Submit
C:\Users\Admin\AppData\Local\Temp\Theoretical

Filesize
203KB

MD5
6c881a609113c5e54ec4fa36f728e53f

SHA1
cbf09b946769746a5fe50fcc2e8faa9b24c22650

SHA256
195e339af3f18876f51bcfc561d3964fa4f713db0ad5d72a749a490df2e43c64

SHA512
d46408f17dbe79068a76b4cbae289dc9a365d7ce76991efced6813ca7c58cfe8b11bb55b759b775ad3c6ef3a4d059a7a995c131ecf1b1ae3243243f3eeea3661

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tired

Filesize
249KB

MD5
5a63e5f4324ae966ef09547f48a158d9

SHA1
461cb15043282d8f12f1a042ed773ee9e008a7fd

SHA256
dd8e0644d19a193fcfdfc7dfa6f55e5e9dca7b38041f03727e730dc76bd6de83

SHA512
5474a325eaa8a65f7042a40bb89709fdc937b227ebb78e118ba3c52f5a85ec88a420ad8cfff41351bc54385e689be06e77631e65cc55a66ce3dc01803ff8b555

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\28977\Answers.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
memory/2532-27-0x0000000004440000-0x000000000467B000-memory.dmp

Filesize
2.2MB

Download
memory/2532-28-0x0000000004440000-0x000000000467B000-memory.dmp

Filesize
2.2MB

Download
memory/2532-26-0x0000000004440000-0x000000000467B000-memory.dmp

Filesize
2.2MB

Download
memory/2532-29-0x0000000004440000-0x000000000467B000-memory.dmp

Filesize
2.2MB

Download
memory/2532-30-0x0000000004440000-0x000000000467B000-memory.dmp

Filesize
2.2MB

Download
memory/2532-31-0x0000000004440000-0x000000000467B000-memory.dmp

Filesize
2.2MB

Download
memory/2532-32-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2532-25-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2532-24-0x0000000077330000-0x0000000077406000-memory.dmp

Filesize
856KB

Download
memory/2532-88-0x0000000004440000-0x000000000467B000-memory.dmp

Filesize
2.2MB

Download