General

  • Target

    ab8c4144227e463e70ce0f44eaf5e8545fc74dc9139f46aad4a82b10d39990bd

  • Size

    378KB

  • Sample

    240417-q7zjfaaf68

  • MD5

    5fd36594f634ec6a7dd998f946dd3911

  • SHA1

    5915b1c72d8144ef2fa111704d6cd3f717767d72

  • SHA256

    ab8c4144227e463e70ce0f44eaf5e8545fc74dc9139f46aad4a82b10d39990bd

  • SHA512

    cf57891be1bec26e545a2acbbf8cfd89600c6c27655b50ab6fe9d973a9979edbe9a0e3998113ffb2922896faa77a31132b4a04b912dd553247e3d67570e2fe99

  • SSDEEP

    6144:7snjEZ+MaSHgZFyXn4/jtHB28VgE69rqhOJhsVn6lVCi4xDVdFMpP5AfXh1HO:7sniQE34btHBEE61qhO0VaCNKEJ1u

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe

    • Size

      395KB

    • MD5

      faeea4484adbb16f4f37872b15d9972a

    • SHA1

      34f5f1a5545344916dad04807ca07743258099be

    • SHA256

      adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8

    • SHA512

      51d068a4df42f6f3f1166a4d11a311aafd7684656e241d013548a32b6b80ab3c07bfb50311cd2b9b3f4bd8a31834039010a0e461f6b05cc2a43551a7883e92f6

    • SSDEEP

      12288:VvpMG3BLI6HW0XuX7XVGB7AKtyqLETeZEDb4C2:VvpM81z+LXV8tvLAeZMb4t

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Stealc

      Stealc is an infostealer written in C++.

    • UAC bypass

    • Windows security bypass

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks