stealc

Sharing

Copy URL

Twitter E-mail

General

Target

7373e0bd6ebe13f63c61ddbe376372d161b95cc0f410cc7766b0786e4642bebc
Size

2.0MB
Sample

240313-zbnxhaga2s
MD5

435e0bd30d4957fa489f504948603d8d
SHA1

4d5df55d4227743fb564b0df1a195c3c0ac3bf56
SHA256

7373e0bd6ebe13f63c61ddbe376372d161b95cc0f410cc7766b0786e4642bebc
SHA512

e6ca8e1c70223d408015519c033ae72cf5b8f8355b4f635aa19a7e77ecd8bdae1954cb15b9964a92472e73c39d36f05d24c7152c2b290eb09bd027e554ba7a73
SSDEEP

49152:LHfava82599Gyh7/PhmhGvMw9f2lzs5tG7fSsGy:DfavX25Vh7ASMwl2lItG7fgy

Score

10^/10

Malware Config

Extracted

Family

stealc

http://185.172.128.145

Attributes

url_path
/3cd2b41cbde8fc9c.php

Targets

- Target
  
  7373e0bd6ebe13f63c61ddbe376372d161b95cc0f410cc7766b0786e4642bebc
- Size
  
  2.0MB
- MD5
  
  435e0bd30d4957fa489f504948603d8d
- SHA1
  
  4d5df55d4227743fb564b0df1a195c3c0ac3bf56
- SHA256
  
  7373e0bd6ebe13f63c61ddbe376372d161b95cc0f410cc7766b0786e4642bebc
- SHA512
  
  e6ca8e1c70223d408015519c033ae72cf5b8f8355b4f635aa19a7e77ecd8bdae1954cb15b9964a92472e73c39d36f05d24c7152c2b290eb09bd027e554ba7a73
- SSDEEP
  
  49152:LHfava82599Gyh7/PhmhGvMw9f2lzs5tG7fSsGy:DfavX25Vh7ASMwl2lItG7fgy
Score

10^/10

stealc discovery spyware stealer upx persistence
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Detect binaries embedding considerable number of MFA browser extension IDs.
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- UPX dump on OEP (original entry point)
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/INetC.dll
- Size
  
  21KB
- MD5
  
  2b342079303895c50af8040a91f30f71
- SHA1
  
  b11335e1cb8356d9c337cb89fe81d669a69de17e
- SHA256
  
  2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
- SHA512
  
  550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
- SSDEEP
  
  384:KOoVVefeWsI7rsIquPLNN546o0Ac9khYLMkIX0+Gzyekv:4VVaeE7wIqyJN5i
Score

3^/10
behavioral3 behavioral4
- Target
  
  $TEMP/BroomSetup.exe
- Size
  
  1.7MB
- MD5
  
  eee5ddcffbed16222cac0a1b4e2e466e
- SHA1
  
  28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
- SHA256
  
  2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
- SHA512
  
  8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
- SSDEEP
  
  49152:YUnaQiKJ8N+AadA6mICFhNGffVCPi9NUko6jE:ZwKa+u6mICFSwPKDK
Score

9^/10

upx
- UPX dump on OEP (original entry point)
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral5 behavioral6
- Target
  
  $TEMP/syncUpd.exe
- Size
  
  200KB
- MD5
  
  c722591f624fb69970f246b8c81d830f
- SHA1
  
  85516decea5d6987bebe39cbadf36053beaf4bb0
- SHA256
  
  13cd1152a19fdac6581cac2bd822f34bd3026ea1783ff231e299b6d28c046a6a
- SHA512
  
  822584c5c8a0813af4d845e80919776c71a43464ab719d1c303ebaae6a8ed47763183566bedc9be2e8c44de8ee6fd62d1e12be471e5d5c73ae4b1dcdaa34a908
- SSDEEP
  
  3072:8PDOu5suCmavnBRsuP6GTdbB27zP6FtHPUxX1GOL3+:455zaPBRPPj27uPH8jzu
Score

10^/10

stealc discovery persistence spyware stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Detect binaries embedding considerable number of MFA browser extension IDs.
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect binaries embedding considerable number of MFA browser extension IDs.

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

UPX dump on OEP (original entry point)

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

UPX dump on OEP (original entry point)

UPX packed file

Stealc

Detect binaries embedding considerable number of MFA browser extension IDs.

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8