stealthworker | 0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4 | Triage

Sharing

General

Target

0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4
Size

6.8MB
MD5

0721b1d0c9c68c18116273f2c293ff21
SHA1

dac53205b4ba718542138d90eb56f1641f5807b8
SHA256

0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4
SHA512

012ee21fa04e7e361d4565ba81cc8ba256fb48a75cc93c5c6ea1f77f1e69adc3a5c14275dfe358e72b6f41dd67d174c0bbb4ca26d39f9c08168ccbb9d06d3ba9
SSDEEP

49152:k92mic7iMnbPvRUAm+ugRkqjR7Q8TOc5KubExvCsNGEgveIXB4IuBNT/IeswF69B:BmP7i+Rf0es5u2BNTAcSE8wIX

Score

10^/10

botnet stealthworker

Malware Config

Extracted

Family

stealthworker

Version

3.09

C2

http://62.122.184.95:8888

Signatures

StealthWorker payload 1 IoCs
botnet

Processes:

resource yara_rule

sample stealthworker
Stealthworker family
stealthworker

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4

Files

0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4
.exe windows:4 windows x86 arch:x86

1c2a6fbef41572f4c9ce8acb5a63cde7

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

winmm

timeEndPeriod
timeBeginPeriod

ws2_32

WSAGetOverlappedResult

kernel32

WriteFile
WriteConsoleW
WaitForSingleObject
VirtualQuery
VirtualFree
VirtualAlloc
SwitchToThread
SetWaitableTimer
SetUnhandledExceptionFilter
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
LoadLibraryA
LoadLibraryW
GetSystemInfo
GetStdHandle
GetQueuedCompletionStatus
GetProcessAffinityMask
GetProcAddress
GetEnvironmentStringsW
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateThread
CreateIoCompletionPort
CreateEventA
CloseHandle
AddVectoredExceptionHandler

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3.4MB - Virtual size: 3.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 198KB - Virtual size: 285KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1024B - Virtual size: 902B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ