stealc

Sharing

Copy URL

Twitter E-mail

General

Target

821c73ce1ec9ba9f86713ddc114e7d076cef76e069895b604654efdc200c100e
Size

2.1MB
Sample

240313-zwgnxsgg71
MD5

e0ef50f139bbab568a6e86fea597bb64
SHA1

f6341880e96eb05885c1ac29ca0d8672b563f5eb
SHA256

821c73ce1ec9ba9f86713ddc114e7d076cef76e069895b604654efdc200c100e
SHA512

b05532b853be5e84fb999cebbebaecb6341e6bd67e3092bf73de1848b791ffe389a3b8ef83ab01fc4e1d0c61038f020d2c2a586ada034b27e4300afab02d285c
SSDEEP

49152:LSx2evw7Mhkhk04bAP7ohLTM2l/9eJjtf+Jpqa6inUF:ex2ybkuLTnpoMpqrin+

Score

10^/10

Malware Config

Extracted

Family

stealc

http://185.172.128.145

Attributes

url_path
/3cd2b41cbde8fc9c.php

Targets

- Target
  
  821c73ce1ec9ba9f86713ddc114e7d076cef76e069895b604654efdc200c100e
- Size
  
  2.1MB
- MD5
  
  e0ef50f139bbab568a6e86fea597bb64
- SHA1
  
  f6341880e96eb05885c1ac29ca0d8672b563f5eb
- SHA256
  
  821c73ce1ec9ba9f86713ddc114e7d076cef76e069895b604654efdc200c100e
- SHA512
  
  b05532b853be5e84fb999cebbebaecb6341e6bd67e3092bf73de1848b791ffe389a3b8ef83ab01fc4e1d0c61038f020d2c2a586ada034b27e4300afab02d285c
- SSDEEP
  
  49152:LSx2evw7Mhkhk04bAP7ohLTM2l/9eJjtf+Jpqa6inUF:ex2ybkuLTnpoMpqrin+
Score

10^/10

stealc discovery persistence spyware stealer upx
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Detect binaries embedding considerable number of MFA browser extension IDs.
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- UPX dump on OEP (original entry point)
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/INetC.dll
- Size
  
  21KB
- MD5
  
  2b342079303895c50af8040a91f30f71
- SHA1
  
  b11335e1cb8356d9c337cb89fe81d669a69de17e
- SHA256
  
  2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
- SHA512
  
  550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
- SSDEEP
  
  384:KOoVVefeWsI7rsIquPLNN546o0Ac9khYLMkIX0+Gzyekv:4VVaeE7wIqyJN5i
Score

3^/10
behavioral3 behavioral4
- Target
  
  $TEMP/BroomSetup.exe
- Size
  
  1.7MB
- MD5
  
  eee5ddcffbed16222cac0a1b4e2e466e
- SHA1
  
  28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
- SHA256
  
  2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
- SHA512
  
  8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
- SSDEEP
  
  49152:YUnaQiKJ8N+AadA6mICFhNGffVCPi9NUko6jE:ZwKa+u6mICFSwPKDK
Score

9^/10

upx
- UPX dump on OEP (original entry point)
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral5 behavioral6
- Target
  
  $TEMP/syncUpd.exe
- Size
  
  282KB
- MD5
  
  45d22efe66c3573da47197ff44dd54f2
- SHA1
  
  5c426bc365f775fbb433e2219c0dd2d146fc4cfc
- SHA256
  
  e1cd1d1df222eeb723bc22f7ae326c151ea73ae6ef7c571516efe0dc1e2546fb
- SHA512
  
  f22efc1de7fa66019e82040298c5285e06a8d5e1d9ac1478aaf478b99814002ba027056db3528d9d5ef451e542b70cfe2a12f17503fdce9c9f779dfe92c0524f
- SSDEEP
  
  3072:8P+bpittdpFpZltTlZoTIkLd1xBGBfqt+N548NXtTJs8+SGT:EpttPFzno1xcBqtse8XCj
Score

10^/10

stealc discovery persistence spyware stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Detect binaries embedding considerable number of MFA browser extension IDs.
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect binaries embedding considerable number of MFA browser extension IDs.

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

UPX dump on OEP (original entry point)

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

UPX dump on OEP (original entry point)

UPX packed file

Stealc

Detect binaries embedding considerable number of MFA browser extension IDs.

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8