outsteel | 7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32

Analysis

max time kernel
131s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe
Size

2.0MB
MD5

78e941e780adc1a159fdc7090194c96d
SHA1

9cd8a786572a7ee8713492302555fe4ce3432911
SHA256

7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32
SHA512

c96076d32e4a2d58825f2a4da6c450fadfa05fe54fb147ebd4bcbc4bcd01839bccf15ce7ff093fa9240eefb99ab5b1c20b502377de45817eb84f1df548489e23
SSDEEP

24576:AkDlPS8yMTT1XHEZAcH5KCRxAOLNh+itJxD3keK/DEWVgZ:xDU8FvdEmFoxfLRXxDMfyZ

Score

10^/10

outsteel spyware stealer

Malware Config

Signatures

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel

Executes dropped EXE 1 IoCs

pid	Process
2796	AddInProcess32.exe

Loads dropped DLL 1 IoCs

pid	Process
1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	AddInProcess32.exe
File opened (read-only)	\??\r:	AddInProcess32.exe
File opened (read-only)	\??\u:	AddInProcess32.exe
File opened (read-only)	\??\v:	AddInProcess32.exe
File opened (read-only)	\??\a:	AddInProcess32.exe
File opened (read-only)	\??\k:	AddInProcess32.exe
File opened (read-only)	\??\l:	AddInProcess32.exe
File opened (read-only)	\??\m:	AddInProcess32.exe
File opened (read-only)	\??\n:	AddInProcess32.exe
File opened (read-only)	\??\g:	AddInProcess32.exe
File opened (read-only)	\??\h:	AddInProcess32.exe
File opened (read-only)	\??\j:	AddInProcess32.exe
File opened (read-only)	\??\w:	AddInProcess32.exe
File opened (read-only)	\??\x:	AddInProcess32.exe
File opened (read-only)	\??\y:	AddInProcess32.exe
File opened (read-only)	\??\z:	AddInProcess32.exe
File opened (read-only)	\??\b:	AddInProcess32.exe
File opened (read-only)	\??\e:	AddInProcess32.exe
File opened (read-only)	\??\i:	AddInProcess32.exe
File opened (read-only)	\??\p:	AddInProcess32.exe
File opened (read-only)	\??\q:	AddInProcess32.exe
File opened (read-only)	\??\s:	AddInProcess32.exe
File opened (read-only)	\??\t:	AddInProcess32.exe

AutoIT Executable 17 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2796-16-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-18-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-17-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-21-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-24-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-27-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-28-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-30-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-34-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-46-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-48-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-50-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-58-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-64-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-67-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-78-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral1/memory/2796-100-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 2796	1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	28

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe
1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe
1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe
1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2796	1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	28
PID 1300 wrote to memory of 2796	1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	28
PID 1300 wrote to memory of 2796	1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	28
PID 1300 wrote to memory of 2796	1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	28
PID 1300 wrote to memory of 2796	1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	28
PID 1300 wrote to memory of 2796	1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	28
PID 1300 wrote to memory of 2796	1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	28
PID 1300 wrote to memory of 2796	1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	28
PID 1300 wrote to memory of 2796	1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	28
PID 1300 wrote to memory of 2796	1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	28
PID 1300 wrote to memory of 2796	1300	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	28
PID 2796 wrote to memory of 2688	2796	AddInProcess32.exe	31
PID 2796 wrote to memory of 2688	2796	AddInProcess32.exe	31
PID 2796 wrote to memory of 2688	2796	AddInProcess32.exe	31
PID 2796 wrote to memory of 2688	2796	AddInProcess32.exe	31
PID 2796 wrote to memory of 792	2796	AddInProcess32.exe	33
PID 2796 wrote to memory of 792	2796	AddInProcess32.exe	33
PID 2796 wrote to memory of 792	2796	AddInProcess32.exe	33
PID 2796 wrote to memory of 792	2796	AddInProcess32.exe	33
PID 2796 wrote to memory of 2720	2796	AddInProcess32.exe	35
PID 2796 wrote to memory of 2720	2796	AddInProcess32.exe	35
PID 2796 wrote to memory of 2720	2796	AddInProcess32.exe	35
PID 2796 wrote to memory of 2720	2796	AddInProcess32.exe	35
PID 2796 wrote to memory of 1212	2796	AddInProcess32.exe	37
PID 2796 wrote to memory of 1212	2796	AddInProcess32.exe	37
PID 2796 wrote to memory of 1212	2796	AddInProcess32.exe	37
PID 2796 wrote to memory of 1212	2796	AddInProcess32.exe	37
PID 2796 wrote to memory of 1232	2796	AddInProcess32.exe	39
PID 2796 wrote to memory of 1232	2796	AddInProcess32.exe	39
PID 2796 wrote to memory of 1232	2796	AddInProcess32.exe	39
PID 2796 wrote to memory of 1232	2796	AddInProcess32.exe	39
PID 2796 wrote to memory of 2320	2796	AddInProcess32.exe	41
PID 2796 wrote to memory of 2320	2796	AddInProcess32.exe	41
PID 2796 wrote to memory of 2320	2796	AddInProcess32.exe	41
PID 2796 wrote to memory of 2320	2796	AddInProcess32.exe	41
PID 2796 wrote to memory of 1044	2796	AddInProcess32.exe	43
PID 2796 wrote to memory of 1044	2796	AddInProcess32.exe	43
PID 2796 wrote to memory of 1044	2796	AddInProcess32.exe	43
PID 2796 wrote to memory of 1044	2796	AddInProcess32.exe	43
PID 2796 wrote to memory of 1364	2796	AddInProcess32.exe	45
PID 2796 wrote to memory of 1364	2796	AddInProcess32.exe	45
PID 2796 wrote to memory of 1364	2796	AddInProcess32.exe	45
PID 2796 wrote to memory of 1364	2796	AddInProcess32.exe	45
PID 2796 wrote to memory of 1944	2796	AddInProcess32.exe	47
PID 2796 wrote to memory of 1944	2796	AddInProcess32.exe	47
PID 2796 wrote to memory of 1944	2796	AddInProcess32.exe	47
PID 2796 wrote to memory of 1944	2796	AddInProcess32.exe	47
PID 2796 wrote to memory of 1740	2796	AddInProcess32.exe	49
PID 2796 wrote to memory of 1740	2796	AddInProcess32.exe	49
PID 2796 wrote to memory of 1740	2796	AddInProcess32.exe	49
PID 2796 wrote to memory of 1740	2796	AddInProcess32.exe	49
PID 2796 wrote to memory of 1716	2796	AddInProcess32.exe	51
PID 2796 wrote to memory of 1716	2796	AddInProcess32.exe	51
PID 2796 wrote to memory of 1716	2796	AddInProcess32.exe	51
PID 2796 wrote to memory of 1716	2796	AddInProcess32.exe	51
PID 2796 wrote to memory of 2824	2796	AddInProcess32.exe	53
PID 2796 wrote to memory of 2824	2796	AddInProcess32.exe	53
PID 2796 wrote to memory of 2824	2796	AddInProcess32.exe	53
PID 2796 wrote to memory of 2824	2796	AddInProcess32.exe	53
PID 2796 wrote to memory of 2808	2796	AddInProcess32.exe	55
PID 2796 wrote to memory of 2808	2796	AddInProcess32.exe	55
PID 2796 wrote to memory of 2808	2796	AddInProcess32.exe	55
PID 2796 wrote to memory of 2808	2796	AddInProcess32.exe	55
PID 2796 wrote to memory of 3004	2796	AddInProcess32.exe	57

C:\Users\Admin\AppData\Local\Temp\7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe
"C:\Users\Admin\AppData\Local\Temp\7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
  "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
    3⤵
    PID:792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
    3⤵
    PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
memory/1300-0-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1300-1-0x0000000000F00000-0x00000000010FA000-memory.dmp

Filesize
2.0MB

Download
memory/1300-2-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/1300-3-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/1300-4-0x00000000004D0000-0x00000000004E6000-memory.dmp

Filesize
88KB

Download
memory/1300-6-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1300-7-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/1300-8-0x0000000000460000-0x000000000047A000-memory.dmp

Filesize
104KB

Download
memory/1300-9-0x0000000000790000-0x0000000000796000-memory.dmp

Filesize
24KB

Download
memory/1300-25-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2796-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2796-30-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-16-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-18-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-17-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-14-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-21-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-13-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-24-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-27-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-28-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-15-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-34-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-46-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-48-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-50-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-58-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-64-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-67-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-78-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2796-100-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download