Overview

overview

10

Static

static

1

4ee84419fb...20.exe

windows7-x64

10

4ee84419fb...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 10:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ee84419fb9267081480954f1be176095a45fe299078dfa95f980e513b46a020.exe

  • Size

    4.9MB

  • MD5

    3640ff45519f1acc1505348010626b6d

  • SHA1

    d5b85fddbf7c893e50560da787d7bc0dcef658e9

  • SHA256

    4ee84419fb9267081480954f1be176095a45fe299078dfa95f980e513b46a020

  • SHA512

    6b407e7bfd9bdc7b4ab99b25ff810e547e38e29441b9e9fc224450d71a352789683b7096747daa98c114b65153c80fa857c538461a951432d9c20392b2c18486

  • SSDEEP

    98304:D2X7i8AE3yWw+0wHhuEpvzmA9CQn4RNUBo003+RVIajg5I85CQJ:Y35yA9C/t0E+RKXI8P

Score
10/10
outsteelspywarestealer

Malware Config

Signatures

  • OutSteel

    OutSteel is a file uploader and document stealer written in AutoIT.

    stealeroutsteel
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ee84419fb9267081480954f1be176095a45fe299078dfa95f980e513b46a020.exe
    "C:\Users\Admin\AppData\Local\Temp\4ee84419fb9267081480954f1be176095a45fe299078dfa95f980e513b46a020.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
        3⤵
          PID:2404
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
          3⤵
            PID:2528
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
            3⤵
              PID:3012
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
              3⤵
                PID:2816
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
                3⤵
                  PID:2992
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
                  3⤵
                    PID:2652
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
                    3⤵
                      PID:2180
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
                      3⤵
                        PID:2748
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
                        3⤵
                          PID:3004
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
                          3⤵
                            PID:2348
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
                            3⤵
                              PID:868
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
                              3⤵
                                PID:2068
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
                                3⤵
                                  PID:2884
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
                                  3⤵
                                    PID:1864
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
                                    3⤵
                                      PID:448
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
                                      3⤵
                                        PID:612
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
                                        3⤵
                                          PID:1760
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
                                          3⤵
                                            PID:2264

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • memory/2168-18-0x0000000000A20000-0x0000000000A21000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-0-0x0000000000400000-0x0000000000986000-memory.dmp

                                        Filesize

                                        5.5MB

                                        Download

                                      • memory/2168-7-0x00000000009F0000-0x00000000009F1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-6-0x00000000009A0000-0x00000000009A1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-1-0x0000000000400000-0x0000000000986000-memory.dmp

                                        Filesize

                                        5.5MB

                                        Download

                                      • memory/2168-4-0x00000000009D0000-0x00000000009D1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-2-0x00000000009C0000-0x00000000009C1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-16-0x0000000000A20000-0x0000000000A21000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-9-0x0000000000340000-0x00000000003A0000-memory.dmp

                                        Filesize

                                        384KB

                                        Download

                                      • memory/2168-28-0x00000000028D0000-0x00000000028D1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-11-0x0000000000400000-0x0000000000986000-memory.dmp

                                        Filesize

                                        5.5MB

                                        Download

                                      • memory/2168-13-0x00000000003E0000-0x00000000003E1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-15-0x00000000003E0000-0x00000000003E1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-25-0x0000000002510000-0x0000000002511000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-23-0x0000000002510000-0x0000000002511000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-20-0x0000000000A20000-0x0000000000A21000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-5-0x00000000003F0000-0x00000000003F1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-8-0x0000000000A10000-0x0000000000A11000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-10-0x00000000003E0000-0x00000000003E1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-30-0x00000000028D0000-0x00000000028D1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-32-0x0000000002980000-0x0000000002981000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-38-0x0000000003700000-0x0000000003701000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-36-0x0000000003700000-0x0000000003701000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-33-0x0000000002980000-0x0000000002981000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2168-51-0x0000000000400000-0x0000000000986000-memory.dmp

                                        Filesize

                                        5.5MB

                                        Download

                                      • memory/2720-43-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/2720-49-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2720-52-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/2720-41-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/2720-53-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/2720-54-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/2720-56-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/2720-62-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/2720-72-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download