General

  • Target

    a5bcc672d91ff60374275df4680a61fac1ade6562d16851dd3e3acd2d2efab98

  • Size

    2.0MB

  • Sample

    240313-1x8dpsce64

  • MD5

    8622cfa4169dcf4067c9ae95f547e0ab

  • SHA1

    bc493149c64f6fe7a3b148582eae4c6c067d2c01

  • SHA256

    a5bcc672d91ff60374275df4680a61fac1ade6562d16851dd3e3acd2d2efab98

  • SHA512

    3e3acb0dc3cffb2cbbd368451aed2fbed8f432c0c025b93a18bd5a6b834b83eef3970640991e136e9215389538c68ba899f9683b89de4fc4c3c3fec0a20793bc

  • SSDEEP

    49152:L/Wc4f+MZYsh6bIm5KCoaOEHXhm95BBy/9z8LsvfMA7jYMd:CTfFym6bImUfexm95BOnd

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.145

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      a5bcc672d91ff60374275df4680a61fac1ade6562d16851dd3e3acd2d2efab98

    • Size

      2.0MB

    • MD5

      8622cfa4169dcf4067c9ae95f547e0ab

    • SHA1

      bc493149c64f6fe7a3b148582eae4c6c067d2c01

    • SHA256

      a5bcc672d91ff60374275df4680a61fac1ade6562d16851dd3e3acd2d2efab98

    • SHA512

      3e3acb0dc3cffb2cbbd368451aed2fbed8f432c0c025b93a18bd5a6b834b83eef3970640991e136e9215389538c68ba899f9683b89de4fc4c3c3fec0a20793bc

    • SSDEEP

      49152:L/Wc4f+MZYsh6bIm5KCoaOEHXhm95BBy/9z8LsvfMA7jYMd:CTfFym6bImUfexm95BOnd

    • Stealc

      Stealc is an infostealer written in C++.

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • UPX dump on OEP (original entry point)

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      $PLUGINSDIR/INetC.dll

    • Size

      21KB

    • MD5

      2b342079303895c50af8040a91f30f71

    • SHA1

      b11335e1cb8356d9c337cb89fe81d669a69de17e

    • SHA256

      2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

    • SHA512

      550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

    • SSDEEP

      384:KOoVVefeWsI7rsIquPLNN546o0Ac9khYLMkIX0+Gzyekv:4VVaeE7wIqyJN5i

    Score
    3/10
    • Target

      $TEMP/BroomSetup.exe

    • Size

      1.7MB

    • MD5

      eee5ddcffbed16222cac0a1b4e2e466e

    • SHA1

      28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

    • SHA256

      2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

    • SHA512

      8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

    • SSDEEP

      49152:YUnaQiKJ8N+AadA6mICFhNGffVCPi9NUko6jE:ZwKa+u6mICFSwPKDK

    Score
    9/10
    • UPX dump on OEP (original entry point)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      $TEMP/syncUpd.exe

    • Size

      199KB

    • MD5

      c30ba6943a94d2e8ed78cd2ca1bc207d

    • SHA1

      9f72b0a089b6c66a1e81b25fe0b652f3bbb85b79

    • SHA256

      d14472c3ab77a8e09ce45dbf6dfc686657539fc9520b510b4417f99114cfd7e8

    • SHA512

      8080ae1b569b6f0f65814758ee3cdbf45f51e1411c731850751980b9310eb3493f64b6b85e681059f9354ea07fb110f1865f5b613c6dc90290f6fcb3b5b194a0

    • SSDEEP

      3072:CHO6XigQe+JK1vljkjdv/oJIOSe7NC1RhrW2O4:C5Xp+WSjd38v7NC3

    • Buer

      Buer is a new modular loader first seen in August 2019.

    • Stealc

      Stealc is an infostealer written in C++.

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks