outsteel | 7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe
Size

2.0MB
MD5

78e941e780adc1a159fdc7090194c96d
SHA1

9cd8a786572a7ee8713492302555fe4ce3432911
SHA256

7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32
SHA512

c96076d32e4a2d58825f2a4da6c450fadfa05fe54fb147ebd4bcbc4bcd01839bccf15ce7ff093fa9240eefb99ab5b1c20b502377de45817eb84f1df548489e23
SSDEEP

24576:AkDlPS8yMTT1XHEZAcH5KCRxAOLNh+itJxD3keK/DEWVgZ:xDU8FvdEmFoxfLRXxDMfyZ

Score

10^/10

outsteel spyware stealer

Malware Config

Signatures

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel

Executes dropped EXE 1 IoCs

pid	Process
3092	AddInProcess32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	AddInProcess32.exe
File opened (read-only)	\??\o:	AddInProcess32.exe
File opened (read-only)	\??\g:	AddInProcess32.exe
File opened (read-only)	\??\k:	AddInProcess32.exe
File opened (read-only)	\??\q:	AddInProcess32.exe
File opened (read-only)	\??\t:	AddInProcess32.exe
File opened (read-only)	\??\l:	AddInProcess32.exe
File opened (read-only)	\??\v:	AddInProcess32.exe
File opened (read-only)	\??\w:	AddInProcess32.exe
File opened (read-only)	\??\x:	AddInProcess32.exe
File opened (read-only)	\??\b:	AddInProcess32.exe
File opened (read-only)	\??\h:	AddInProcess32.exe
File opened (read-only)	\??\i:	AddInProcess32.exe
File opened (read-only)	\??\j:	AddInProcess32.exe
File opened (read-only)	\??\y:	AddInProcess32.exe
File opened (read-only)	\??\r:	AddInProcess32.exe
File opened (read-only)	\??\s:	AddInProcess32.exe
File opened (read-only)	\??\u:	AddInProcess32.exe
File opened (read-only)	\??\z:	AddInProcess32.exe
File opened (read-only)	\??\a:	AddInProcess32.exe
File opened (read-only)	\??\e:	AddInProcess32.exe
File opened (read-only)	\??\n:	AddInProcess32.exe
File opened (read-only)	\??\p:	AddInProcess32.exe

AutoIT Executable 21 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3092-19-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-21-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-23-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-26-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-27-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-33-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-37-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-45-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-46-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-49-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-57-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-61-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-66-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-65-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-73-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-78-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-77-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-82-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-81-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-85-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe
behavioral2/memory/3092-99-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3368 set thread context of 3092	3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	96

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe
3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe
3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe
3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 3092	3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	96
PID 3368 wrote to memory of 3092	3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	96
PID 3368 wrote to memory of 3092	3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	96
PID 3368 wrote to memory of 3092	3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	96
PID 3368 wrote to memory of 3092	3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	96
PID 3368 wrote to memory of 3092	3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	96
PID 3368 wrote to memory of 3092	3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	96
PID 3368 wrote to memory of 3092	3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	96
PID 3368 wrote to memory of 3092	3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	96
PID 3368 wrote to memory of 3092	3368	7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe	96
PID 3092 wrote to memory of 5044	3092	AddInProcess32.exe	97
PID 3092 wrote to memory of 5044	3092	AddInProcess32.exe	97
PID 3092 wrote to memory of 5044	3092	AddInProcess32.exe	97
PID 3092 wrote to memory of 2824	3092	AddInProcess32.exe	99
PID 3092 wrote to memory of 2824	3092	AddInProcess32.exe	99
PID 3092 wrote to memory of 2824	3092	AddInProcess32.exe	99
PID 3092 wrote to memory of 4092	3092	AddInProcess32.exe	101
PID 3092 wrote to memory of 4092	3092	AddInProcess32.exe	101
PID 3092 wrote to memory of 4092	3092	AddInProcess32.exe	101
PID 3092 wrote to memory of 2396	3092	AddInProcess32.exe	103
PID 3092 wrote to memory of 2396	3092	AddInProcess32.exe	103
PID 3092 wrote to memory of 2396	3092	AddInProcess32.exe	103
PID 3092 wrote to memory of 816	3092	AddInProcess32.exe	105
PID 3092 wrote to memory of 816	3092	AddInProcess32.exe	105
PID 3092 wrote to memory of 816	3092	AddInProcess32.exe	105
PID 3092 wrote to memory of 3412	3092	AddInProcess32.exe	107
PID 3092 wrote to memory of 3412	3092	AddInProcess32.exe	107
PID 3092 wrote to memory of 3412	3092	AddInProcess32.exe	107
PID 3092 wrote to memory of 1456	3092	AddInProcess32.exe	109
PID 3092 wrote to memory of 1456	3092	AddInProcess32.exe	109
PID 3092 wrote to memory of 1456	3092	AddInProcess32.exe	109
PID 3092 wrote to memory of 4308	3092	AddInProcess32.exe	111
PID 3092 wrote to memory of 4308	3092	AddInProcess32.exe	111
PID 3092 wrote to memory of 4308	3092	AddInProcess32.exe	111
PID 3092 wrote to memory of 2028	3092	AddInProcess32.exe	113
PID 3092 wrote to memory of 2028	3092	AddInProcess32.exe	113
PID 3092 wrote to memory of 2028	3092	AddInProcess32.exe	113
PID 3092 wrote to memory of 1148	3092	AddInProcess32.exe	115
PID 3092 wrote to memory of 1148	3092	AddInProcess32.exe	115
PID 3092 wrote to memory of 1148	3092	AddInProcess32.exe	115
PID 3092 wrote to memory of 1960	3092	AddInProcess32.exe	117
PID 3092 wrote to memory of 1960	3092	AddInProcess32.exe	117
PID 3092 wrote to memory of 1960	3092	AddInProcess32.exe	117
PID 3092 wrote to memory of 3364	3092	AddInProcess32.exe	119
PID 3092 wrote to memory of 3364	3092	AddInProcess32.exe	119
PID 3092 wrote to memory of 3364	3092	AddInProcess32.exe	119
PID 3092 wrote to memory of 4140	3092	AddInProcess32.exe	121
PID 3092 wrote to memory of 4140	3092	AddInProcess32.exe	121
PID 3092 wrote to memory of 4140	3092	AddInProcess32.exe	121
PID 3092 wrote to memory of 2240	3092	AddInProcess32.exe	123
PID 3092 wrote to memory of 2240	3092	AddInProcess32.exe	123
PID 3092 wrote to memory of 2240	3092	AddInProcess32.exe	123
PID 3092 wrote to memory of 1412	3092	AddInProcess32.exe	125
PID 3092 wrote to memory of 1412	3092	AddInProcess32.exe	125
PID 3092 wrote to memory of 1412	3092	AddInProcess32.exe	125
PID 3092 wrote to memory of 1744	3092	AddInProcess32.exe	127
PID 3092 wrote to memory of 1744	3092	AddInProcess32.exe	127
PID 3092 wrote to memory of 1744	3092	AddInProcess32.exe	127
PID 3092 wrote to memory of 232	3092	AddInProcess32.exe	129
PID 3092 wrote to memory of 232	3092	AddInProcess32.exe	129
PID 3092 wrote to memory of 232	3092	AddInProcess32.exe	129
PID 3092 wrote to memory of 2796	3092	AddInProcess32.exe	131
PID 3092 wrote to memory of 2796	3092	AddInProcess32.exe	131
PID 3092 wrote to memory of 2796	3092	AddInProcess32.exe	131

C:\Users\Admin\AppData\Local\Temp\7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe
"C:\Users\Admin\AppData\Local\Temp\7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
  "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
    3⤵
    PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
    3⤵
    PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
    3⤵
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
    3⤵
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
memory/3092-61-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-57-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-99-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-21-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-81-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-82-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-77-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-23-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-73-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-65-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-66-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-49-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-46-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-45-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-37-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-33-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-19-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-27-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-85-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-78-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3092-26-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3368-3-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/3368-17-0x0000000007AC0000-0x0000000007AE2000-memory.dmp

Filesize
136KB

Download
memory/3368-11-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/3368-12-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/3368-24-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/3368-14-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/3368-13-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/3368-1-0x0000000000210000-0x000000000040A000-memory.dmp

Filesize
2.0MB

Download
memory/3368-0-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/3368-2-0x00000000054F0000-0x0000000005A94000-memory.dmp

Filesize
5.6MB

Download
memory/3368-16-0x0000000006AA0000-0x0000000006AA6000-memory.dmp

Filesize
24KB

Download
memory/3368-9-0x00000000053F0000-0x00000000053FA000-memory.dmp

Filesize
40KB

Download
memory/3368-8-0x00000000052B0000-0x00000000052C6000-memory.dmp

Filesize
88KB

Download
memory/3368-7-0x0000000004EA0000-0x0000000004ED2000-memory.dmp

Filesize
200KB

Download
memory/3368-6-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/3368-5-0x0000000005340000-0x00000000053DC000-memory.dmp

Filesize
624KB

Download
memory/3368-4-0x0000000004F40000-0x0000000005294000-memory.dmp

Filesize
3.3MB

Download
memory/3368-15-0x0000000006960000-0x000000000697A000-memory.dmp

Filesize
104KB

Download