Overview

overview

10

Static

static

3

df3b1ad544...c3.exe

windows7-x64

10

df3b1ad544...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df3b1ad5445d628c24c1308aa6cb476bd9a06f0095a2b285927964339866b2c3.exe

  • Size

    710KB

  • MD5

    b8cd8b40bda5bec1e8d5b765b5a90db4

  • SHA1

    41057c8497d0845fd54771d0e23ca234af9b3b2c

  • SHA256

    df3b1ad5445d628c24c1308aa6cb476bd9a06f0095a2b285927964339866b2c3

  • SHA512

    142347781d4f3b809d0e6331f38507e547031c4e7f984a4c3f4384273f6718f841fb481d7312c990846b89f0fa5f9d68c6231e0243b222c51015e138e59d9085

  • SSDEEP

    12288:mwr2yHL6YwYXFRXO0vxrnUnevKJx7oNd+mj771U4Zo8y0kVTo4qLhyCNcDAt:RHL6YwYX7pxrnUV3kNd+i729To4q7C2

Score
10/10
outsteelspywarestealer

Malware Config

Signatures

  • OutSteel

    OutSteel is a file uploader and document stealer written in AutoIT.

    stealeroutsteel
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df3b1ad5445d628c24c1308aa6cb476bd9a06f0095a2b285927964339866b2c3.exe
    "C:\Users\Admin\AppData\Local\Temp\df3b1ad5445d628c24c1308aa6cb476bd9a06f0095a2b285927964339866b2c3.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
      2⤵
        PID:2768
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
        2⤵
          PID:1704
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
          2⤵
            PID:3760
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
            2⤵
              PID:4716
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
              2⤵
                PID:3972
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
                2⤵
                  PID:4344
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
                  2⤵
                    PID:4452
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
                    2⤵
                      PID:1032
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
                      2⤵
                        PID:4552
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
                        2⤵
                          PID:4032
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
                          2⤵
                            PID:4216
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
                            2⤵
                              PID:4720
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
                              2⤵
                                PID:1512
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
                                2⤵
                                  PID:4348
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
                                  2⤵
                                    PID:4808
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
                                    2⤵
                                      PID:1548
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
                                      2⤵
                                        PID:4696

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • memory/3056-1-0x0000000000760000-0x0000000000860000-memory.dmp

                                      Filesize

                                      1024KB

                                      Download

                                    • memory/3056-2-0x0000000002200000-0x00000000022DD000-memory.dmp

                                      Filesize

                                      884KB

                                      Download

                                    • memory/3056-3-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download

                                    • memory/3056-4-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download

                                    • memory/3056-6-0x0000000000760000-0x0000000000860000-memory.dmp

                                      Filesize

                                      1024KB

                                      Download

                                    • memory/3056-7-0x0000000002200000-0x00000000022DD000-memory.dmp

                                      Filesize

                                      884KB

                                      Download

                                    • memory/3056-8-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download

                                    • memory/3056-10-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download

                                    • memory/3056-12-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download

                                    • memory/3056-14-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download

                                    • memory/3056-16-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download

                                    • memory/3056-19-0x0000000000400000-0x00000000004E2000-memory.dmp

                                      Filesize

                                      904KB

                                      Download