Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

8

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-04-2024 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bffaf04a07c5a17c84a85703e49b7813489593db84d9c8147d2279e5414471dd.exe

  • Size

    497KB

  • MD5

    05121c54247f7a8bbebdfeecd2a1ae4e

  • SHA1

    d2131395bfbe15b9a0fd99e89bda5ff348c1b195

  • SHA256

    bffaf04a07c5a17c84a85703e49b7813489593db84d9c8147d2279e5414471dd

  • SHA512

    af64644d96ad611194026c3b3d97cf61f62a3783a7fe62895d306f14a40d2c7458d586f03aca3b0fd028529b7db05de1c65b0189f516c61d21fa0800f07c93ab

  • SSDEEP

    12288:80il6waZftf+ZTOHVkXXcA4KEd4SOoZaWHV4h6:80gSftfC0VirbSOoZaWHV4h6

Score
10/10
stealcstealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bffaf04a07c5a17c84a85703e49b7813489593db84d9c8147d2279e5414471dd.exe
    "C:\Users\Admin\AppData\Local\Temp\bffaf04a07c5a17c84a85703e49b7813489593db84d9c8147d2279e5414471dd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Users\Admin\AppData\Local\Temp\uw8.0.exe
      "C:\Users\Admin\AppData\Local\Temp\uw8.0.exe"
      2⤵
      • Executes dropped EXE
      PID:4536
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1240
        3⤵
        • Program crash
        PID:3548
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4536 -ip 4536
    1⤵
      PID:3828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\uw8.0.exe
      Filesize

      352KB

      MD5

      80e2c398d0e2dfda0160adea3381b007

      SHA1

      1d1df0a55ee3447f9db99333a5f6b3a580277c22

      SHA256

      f9bc672a380dfefae4bdb1df4132408f29344947bfede70c5c6129865f734d69

      SHA512

      25c217adcd552776b60d01ba86e22def4e05ac8c43c791254df2def271d40c10782edef6dcfb6d0aa8251652912a3d31af9a8637cc2b1269229f28febe8e8697

      Download Submit

    • memory/1160-1-0x0000000001BA0000-0x0000000001CA0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1160-2-0x0000000003910000-0x000000000397E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/1160-3-0x0000000000400000-0x0000000001A48000-memory.dmp

      Filesize

      22.3MB

      Download

    • memory/1160-4-0x0000000000400000-0x0000000001A48000-memory.dmp

      Filesize

      22.3MB

      Download

    • memory/1160-5-0x0000000001BA0000-0x0000000001CA0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1160-15-0x0000000000400000-0x0000000001A48000-memory.dmp

      Filesize

      22.3MB

      Download

    • memory/4536-17-0x0000000003750000-0x0000000003777000-memory.dmp

      Filesize

      156KB

      Download

    • memory/4536-16-0x0000000001B00000-0x0000000001C00000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4536-18-0x0000000000400000-0x0000000001A23000-memory.dmp

      Filesize

      22.1MB

      Download

    • memory/4536-19-0x0000000000400000-0x0000000001A23000-memory.dmp

      Filesize

      22.1MB

      Download