Overview

overview

10

Static

static

3

df3b1ad544...c3.exe

windows7-x64

10

df3b1ad544...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df3b1ad5445d628c24c1308aa6cb476bd9a06f0095a2b285927964339866b2c3.exe

  • Size

    710KB

  • MD5

    b8cd8b40bda5bec1e8d5b765b5a90db4

  • SHA1

    41057c8497d0845fd54771d0e23ca234af9b3b2c

  • SHA256

    df3b1ad5445d628c24c1308aa6cb476bd9a06f0095a2b285927964339866b2c3

  • SHA512

    142347781d4f3b809d0e6331f38507e547031c4e7f984a4c3f4384273f6718f841fb481d7312c990846b89f0fa5f9d68c6231e0243b222c51015e138e59d9085

  • SSDEEP

    12288:mwr2yHL6YwYXFRXO0vxrnUnevKJx7oNd+mj771U4Zo8y0kVTo4qLhyCNcDAt:RHL6YwYX7pxrnUV3kNd+i729To4q7C2

Score
10/10
outsteelspywarestealer

Malware Config

Signatures

  • OutSteel

    OutSteel is a file uploader and document stealer written in AutoIT.

    stealeroutsteel
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df3b1ad5445d628c24c1308aa6cb476bd9a06f0095a2b285927964339866b2c3.exe
    "C:\Users\Admin\AppData\Local\Temp\df3b1ad5445d628c24c1308aa6cb476bd9a06f0095a2b285927964339866b2c3.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
      2⤵
        PID:2980
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
        2⤵
          PID:2992
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
          2⤵
            PID:2596
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
            2⤵
              PID:2832
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
              2⤵
                PID:1500
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
                2⤵
                  PID:1884
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
                  2⤵
                    PID:2316
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
                    2⤵
                      PID:2928
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
                      2⤵
                        PID:2452
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
                        2⤵
                          PID:2908
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
                          2⤵
                            PID:2280
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
                            2⤵
                              PID:2308
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
                              2⤵
                                PID:564
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
                                2⤵
                                  PID:1356
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
                                  2⤵
                                    PID:1476
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
                                    2⤵
                                      PID:2640
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
                                      2⤵
                                        PID:2728

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • memory/3024-1-0x00000000005F0000-0x00000000006F0000-memory.dmp

                                      Filesize

                                      1024KB

                                      Download

                                    • memory/3024-2-0x00000000004F0000-0x00000000005CD000-memory.dmp

                                      Filesize

                                      884KB

                                      Download

                                    • memory/3024-3-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download

                                    • memory/3024-4-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download

                                    • memory/3024-6-0x00000000005F0000-0x00000000006F0000-memory.dmp

                                      Filesize

                                      1024KB

                                      Download

                                    • memory/3024-7-0x00000000004F0000-0x00000000005CD000-memory.dmp

                                      Filesize

                                      884KB

                                      Download

                                    • memory/3024-8-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download

                                    • memory/3024-10-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download

                                    • memory/3024-12-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download

                                    • memory/3024-14-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download

                                    • memory/3024-17-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download

                                    • memory/3024-19-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download