outsteel | afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
Size

623KB
MD5

103118660a0abadc99831e23777979b5
SHA1

f69be5dcf16ef31a9aa66dce34f35fd84972f3e7
SHA256

afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a
SHA512

7bf46133dd6e8c17185ecd7b44ecb3ca03d21deeb8d008da60e4dd131a0bc31201ba9286a9106e52a62e845092ce605d9f79a712cf7481cbd5b85359dc332857
SSDEEP

12288:Klvu3c06Ss3jOgT2ZQWiypMCRmAAw0tNic8XuPtHmF9zvN9u:iusdptjCRmAAw0tNZ8XO1m3x9u

Score

10^/10

outsteel spyware stealer

Malware Config

Signatures

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\n:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\s:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\u:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\v:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\x:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\b:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\l:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\t:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\w:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\e:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\h:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\j:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\o:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\y:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\z:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\a:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\i:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\k:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\p:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\q:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\r:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\g:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1940-2-0x0000000001D40000-0x0000000001E1D000-memory.dmp	autoit_exe
behavioral1/memory/1940-3-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/1940-4-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/1940-7-0x0000000001D40000-0x0000000001E1D000-memory.dmp	autoit_exe
behavioral1/memory/1940-8-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/1940-10-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/1940-12-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/1940-14-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/1940-16-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/1940-19-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 3060	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	28
PID 1940 wrote to memory of 3060	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	28
PID 1940 wrote to memory of 3060	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	28
PID 1940 wrote to memory of 3060	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	28
PID 1940 wrote to memory of 2072	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	30
PID 1940 wrote to memory of 2072	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	30
PID 1940 wrote to memory of 2072	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	30
PID 1940 wrote to memory of 2072	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	30
PID 1940 wrote to memory of 2864	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	32
PID 1940 wrote to memory of 2864	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	32
PID 1940 wrote to memory of 2864	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	32
PID 1940 wrote to memory of 2864	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	32
PID 1940 wrote to memory of 2668	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	34
PID 1940 wrote to memory of 2668	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	34
PID 1940 wrote to memory of 2668	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	34
PID 1940 wrote to memory of 2668	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	34
PID 1940 wrote to memory of 2888	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	36
PID 1940 wrote to memory of 2888	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	36
PID 1940 wrote to memory of 2888	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	36
PID 1940 wrote to memory of 2888	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	36
PID 1940 wrote to memory of 2124	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	38
PID 1940 wrote to memory of 2124	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	38
PID 1940 wrote to memory of 2124	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	38
PID 1940 wrote to memory of 2124	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	38
PID 1940 wrote to memory of 2416	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	40
PID 1940 wrote to memory of 2416	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	40
PID 1940 wrote to memory of 2416	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	40
PID 1940 wrote to memory of 2416	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	40
PID 1940 wrote to memory of 2744	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	42
PID 1940 wrote to memory of 2744	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	42
PID 1940 wrote to memory of 2744	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	42
PID 1940 wrote to memory of 2744	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	42
PID 1940 wrote to memory of 2832	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	44
PID 1940 wrote to memory of 2832	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	44
PID 1940 wrote to memory of 2832	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	44
PID 1940 wrote to memory of 2832	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	44
PID 1940 wrote to memory of 2684	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	46
PID 1940 wrote to memory of 2684	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	46
PID 1940 wrote to memory of 2684	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	46
PID 1940 wrote to memory of 2684	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	46
PID 1940 wrote to memory of 2576	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	48
PID 1940 wrote to memory of 2576	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	48
PID 1940 wrote to memory of 2576	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	48
PID 1940 wrote to memory of 2576	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	48
PID 1940 wrote to memory of 1980	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	50
PID 1940 wrote to memory of 1980	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	50
PID 1940 wrote to memory of 1980	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	50
PID 1940 wrote to memory of 1980	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	50
PID 1940 wrote to memory of 2388	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	52
PID 1940 wrote to memory of 2388	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	52
PID 1940 wrote to memory of 2388	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	52
PID 1940 wrote to memory of 2388	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	52
PID 1940 wrote to memory of 2804	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	54
PID 1940 wrote to memory of 2804	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	54
PID 1940 wrote to memory of 2804	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	54
PID 1940 wrote to memory of 2804	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	54
PID 1940 wrote to memory of 2828	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	56
PID 1940 wrote to memory of 2828	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	56
PID 1940 wrote to memory of 2828	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	56
PID 1940 wrote to memory of 2828	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	56
PID 1940 wrote to memory of 2840	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	58
PID 1940 wrote to memory of 2840	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	58
PID 1940 wrote to memory of 2840	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	58
PID 1940 wrote to memory of 2840	1940	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	58

C:\Users\Admin\AppData\Local\Temp\afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
"C:\Users\Admin\AppData\Local\Temp\afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
  2⤵
  PID:3060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
  2⤵
  PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
  2⤵
  PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
  2⤵
  PID:2888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
  2⤵
  PID:2124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
  2⤵
  PID:2416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
  2⤵
  PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
  2⤵
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
  2⤵
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
  2⤵
  PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
  2⤵
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
  2⤵
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
  2⤵
  PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
  2⤵
  PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
  2⤵
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1940-1-0x00000000002A0000-0x00000000003A0000-memory.dmp

Filesize
1024KB

Download
memory/1940-2-0x0000000001D40000-0x0000000001E1D000-memory.dmp

Filesize
884KB

Download
memory/1940-3-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1940-4-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1940-5-0x00000000002A0000-0x00000000003A0000-memory.dmp

Filesize
1024KB

Download
memory/1940-7-0x0000000001D40000-0x0000000001E1D000-memory.dmp

Filesize
884KB

Download
memory/1940-8-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1940-10-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1940-12-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1940-14-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1940-16-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1940-19-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download