General

  • Target

    tmp

  • Size

    200KB

  • Sample

    240406-gej4lscf67

  • MD5

    e4ff41258b1e13fc1a0cf33f83505c5b

  • SHA1

    c41a64aa8b5d921cf755d72dfd624066cbbdf6d8

  • SHA256

    0d19b90b35d268308253e621b1b3500b1d1dd98e5f72929ba6f78961423ca594

  • SHA512

    520a2c6a74f42743373e29c3aef59618e306a10a1f9ffec27990ed7533856bcc0ba8ce3174ee668418fd8325cf9ef664df29026238e21f4d234f4e7a25d0239a

  • SSDEEP

    3072:Gjn/KLxcJgP5F6gEMTMuBsCPFEy+DNHCobTDxlGd5zhb6y:qn/KaJg+hMwKFZ+BioPFlozh+

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      tmp

    • Size

      200KB

    • MD5

      e4ff41258b1e13fc1a0cf33f83505c5b

    • SHA1

      c41a64aa8b5d921cf755d72dfd624066cbbdf6d8

    • SHA256

      0d19b90b35d268308253e621b1b3500b1d1dd98e5f72929ba6f78961423ca594

    • SHA512

      520a2c6a74f42743373e29c3aef59618e306a10a1f9ffec27990ed7533856bcc0ba8ce3174ee668418fd8325cf9ef664df29026238e21f4d234f4e7a25d0239a

    • SSDEEP

      3072:Gjn/KLxcJgP5F6gEMTMuBsCPFEy+DNHCobTDxlGd5zhb6y:qn/KaJg+hMwKFZ+BioPFlozh+

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks