stealc | b1887de18886f2e92a9807229c9f5c70a6152d3851bcc094006b8eb2d3857a68

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1887de18886f2e92a9807229c9f5c70a6152d3851bcc094006b8eb2d3857a68.exe
Size

427KB
MD5

96cb2e366cff033aac894dd0dd0f71f6
SHA1

874482f06a0c85eb475c503a237e98864ebb220a
SHA256

b1887de18886f2e92a9807229c9f5c70a6152d3851bcc094006b8eb2d3857a68
SHA512

24e2ae76be23acd76fa5ef43179942adf7354062921a85aec3cfaad05a15f5b30a85f1d0a43a79f8eba85d1d0ab6c3f78aea56c7b06d11dad018657da04abaa0
SSDEEP

6144:KIwrPnGVltMcO17ts6tRcuARnu40hOj4z9afaLEn02xE+V:KIwrvOlEtz6RnuBOj4p+q+V

Score

10^/10

stealc stealer

Malware Config

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	b1887de18886f2e92a9807229c9f5c70a6152d3851bcc094006b8eb2d3857a68.exe

Executes dropped EXE 4 IoCs

pid	Process
1620	u1ns.0.exe
4020	Qg_Appv5.exe
4572	SpyShelter.exe
2596	SpyShelter.exe

Loads dropped DLL 21 IoCs

pid	Process
4572	SpyShelter.exe
4572	SpyShelter.exe
4572	SpyShelter.exe
4572	SpyShelter.exe
4572	SpyShelter.exe
4572	SpyShelter.exe
4572	SpyShelter.exe
4572	SpyShelter.exe
4572	SpyShelter.exe
4572	SpyShelter.exe
2596	SpyShelter.exe
2596	SpyShelter.exe
2596	SpyShelter.exe
2596	SpyShelter.exe
2596	SpyShelter.exe
2596	SpyShelter.exe
2596	SpyShelter.exe
2596	SpyShelter.exe
2596	SpyShelter.exe
2596	SpyShelter.exe
2596	SpyShelter.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2596 set thread context of 1836	2596	SpyShelter.exe	121

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3168	1620	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4020	Qg_Appv5.exe
4020	Qg_Appv5.exe
4572	SpyShelter.exe
2596	SpyShelter.exe
2596	SpyShelter.exe
1836	cmd.exe
1836	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2596	SpyShelter.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4020	Qg_Appv5.exe
4020	Qg_Appv5.exe
4020	Qg_Appv5.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1620	2152	b1887de18886f2e92a9807229c9f5c70a6152d3851bcc094006b8eb2d3857a68.exe	96
PID 2152 wrote to memory of 1620	2152	b1887de18886f2e92a9807229c9f5c70a6152d3851bcc094006b8eb2d3857a68.exe	96
PID 2152 wrote to memory of 1620	2152	b1887de18886f2e92a9807229c9f5c70a6152d3851bcc094006b8eb2d3857a68.exe	96
PID 2152 wrote to memory of 4020	2152	b1887de18886f2e92a9807229c9f5c70a6152d3851bcc094006b8eb2d3857a68.exe	118
PID 2152 wrote to memory of 4020	2152	b1887de18886f2e92a9807229c9f5c70a6152d3851bcc094006b8eb2d3857a68.exe	118
PID 4020 wrote to memory of 4572	4020	Qg_Appv5.exe	119
PID 4020 wrote to memory of 4572	4020	Qg_Appv5.exe	119
PID 4572 wrote to memory of 2596	4572	SpyShelter.exe	120
PID 4572 wrote to memory of 2596	4572	SpyShelter.exe	120
PID 2596 wrote to memory of 1836	2596	SpyShelter.exe	121
PID 2596 wrote to memory of 1836	2596	SpyShelter.exe	121
PID 2596 wrote to memory of 1836	2596	SpyShelter.exe	121
PID 2596 wrote to memory of 1836	2596	SpyShelter.exe	121

C:\Users\Admin\AppData\Local\Temp\b1887de18886f2e92a9807229c9f5c70a6152d3851bcc094006b8eb2d3857a68.exe
"C:\Users\Admin\AppData\Local\Temp\b1887de18886f2e92a9807229c9f5c70a6152d3851bcc094006b8eb2d3857a68.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\u1ns.0.exe
  "C:\Users\Admin\AppData\Local\Temp\u1ns.0.exe"
  2⤵
  - Executes dropped EXE
  PID:1620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1104
    3⤵
    - Program crash
    PID:3168
- C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
  "C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\MonChanneloya_dbg\SpyShelter.exe
    C:\Users\Admin\AppData\Local\Temp\MonChanneloya_dbg\SpyShelter.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Users\Admin\AppData\Roaming\MonChanneloya_dbg\SpyShelter.exe
      C:\Users\Admin\AppData\Roaming\MonChanneloya_dbg\SpyShelter.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1620 -ip 1620
1⤵
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$AnyBurn$\3A11.tmp.ico

Filesize
2KB

MD5
4198afdeb9ace242c575ee572af22e1f

SHA1
32784594ec69ca459878010401c3931be8e5e15e

SHA256
b4d6704aabfcc8b7cb8f4ee58b162dd124e2d0e4dce20ecf13eebd262dd1e76e

SHA512
d4288466d9a669c7735dc788f81fd5581876048644c48a58df5e2f8c70d468464d9de2bcbd295cdfe8510fd77a9a3cc26e3de0a1cf985622fec00baefda7f4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonChanneloya_dbg\SpyShelter.exe

Filesize
316KB

MD5
c637e5ecf625b72f4bef9d28cd81d612

SHA1
a2c1329d290e508ee9fd0eb81e7f25d57e450f8c

SHA256
111c56593668be63e1e0c79a2d33d9e2d49cdf0c5100663c72045bc6b76e9fe6

SHA512
727d78bab4fab3674eec92ca5f07df6a0095ab3b973dd227c599c70e8493592bb53bb9208cc6270713283ef0065acfad3203ddcf4dcb6d43f8727f09ceaaf2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonChanneloya_dbg\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonChanneloya_dbg\VCRUNTIME140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonChanneloya_dbg\flutter_desktop_sleep_plugin.dll

Filesize
91KB

MD5
ae8bbd77a997d05c06e459f0f3faa5af

SHA1
843ae129debba252eaebce0459adccddc1315826

SHA256
9600697c57da5a1411a227eb5fc135f20d0ea292f458290d15fb959c1f75537e

SHA512
13067ed69244f94206e642b408143409b48fb976221dbbbbdd86f0b357a8b7b0cad334a6259751a718f2149e183d322bb8b03e26abff2cdcac2826a551e27d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonChanneloya_dbg\flutter_windows.dll

Filesize
17.4MB

MD5
ebbc845556b9e6565a11ba21125622a2

SHA1
96db067f8b8bc215aa7bff174205996cccd769a4

SHA256
c352676719f491582d638196348e6133b5ac6c5d218a75110453a809c45d0611

SHA512
62297684eaf8cdc1c3cb56bf99009feed0e8933e3101f353b8edbc19b502060750c7c9a72256bcf3b1a66ac10b5c22b8cc4b37a2bc8b21042fc0ffbd3c95790c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonChanneloya_dbg\msvcp140.dll

Filesize
564KB

MD5
1ba6d1cf0508775096f9e121a24e5863

SHA1
df552810d779476610da3c8b956cc921ed6c91ae

SHA256
74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823

SHA512
9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonChanneloya_dbg\tercentenary.psd

Filesize
55KB

MD5
837ce39e099d39e339ff2bf6ef21a985

SHA1
ad8a275caee75bd6fab244c8b22716467258a8d5

SHA256
c69c8110ab93beb1a03575d5dfbc7e46cacb6f3da43f1113ee3b1edd4df35e38

SHA512
89ff97eb6d42d46c1fba590beb507ea6134021ad7213d120694e35fffed45a4c3bf3909271dd7baf1f33661a567b98737d49ab4c2d334811c660cd7dd4052e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonChanneloya_dbg\tray_manager_plugin.dll

Filesize
113KB

MD5
65dcbb76cbb2bbb1684186f1520e888d

SHA1
25d656c1cb3c814776779bc53e0e2b937d8441f4

SHA256
9c7e0de576932c8b2149849c96f3493bcae215f6db5996dbaf5ae1788697e8f0

SHA512
e351547e551943db0267828e283797c81b593ec303cee4d4447226e86927acac93b87226e79e1a913a1ec397b4183b7ee81a2af8764f71d7fa73c41bb102d9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonChanneloya_dbg\url_launcher_windows_plugin.dll

Filesize
92KB

MD5
7e6a40e0083af22b186b662553d679fc

SHA1
b74c38d1d33004fb27b1df8003ecd4b87a5739c1

SHA256
578323ec0b492e72987778af3811cd00b71171b1e84b92e720964543f8f3a183

SHA512
3ac74e807bddffc2965cb3878a51e5c7c3b5eab2dcf8bc1ffaa41a56e20460cd01ff6b9a00d78e1aa021f5b9c38ba4f4726d37bf42749da4fa208e3f8985c114

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonChanneloya_dbg\windows_single_instance_plugin.dll

Filesize
82KB

MD5
00c451a17ddfcd810086fb2ad794125a

SHA1
feba77a0ca91f828099a3444a93ff11b6ce40fe5

SHA256
f1430479210c19093d76435e5826e3578420933248b51164e11f0992f77ed1f1

SHA512
6ea4d2556e0b82d017cde2a3c5c9b2881daca6b5af0e92cd10be886047eb6303085244ac1bb764e96595b3ca448504591c976dfefbffca8c6cbabe28f81e78c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonChanneloya_dbg\writ.log

Filesize
1.2MB

MD5
b536377acb78ecb3e611592d443f0361

SHA1
d185d3dc719d3ffb31627b8117aaffa657841b52

SHA256
2ce6fb57552d757767c6efb26ba143c040a6a3188ad78b3ac9ec7e2345bb784f

SHA512
f338b8dedfdb752aa796db92a2a626559c432e6e524d5ca7bd9b18f66107c7d6bc82c0b4223f9ebb467db140777f1538ea835733b9df4be9ed9673d9323267e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe

Filesize
21.6MB

MD5
4ad2ed370734e0e211447e0e22d48d38

SHA1
306f5112421f490fca74fb4177fed81773e6c4df

SHA256
dc293b4b3b775280ffa995ca93732bf60b40efb7bb348abf3e7a7ddd36c37c40

SHA512
bad38366cb5cc68b8dcc992d958418ff6eec985d991cdfe15be12cd4ce3862a15081ce1e80f9f0a1d4d33a154048d340951c22d17a67078adaea44f450e251f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bec2c5fe

Filesize
17.2MB

MD5
19d0aa4981833fa48abc56722ece310f

SHA1
bc5dc302819700f872faf554b90b750c841baa7f

SHA256
6e4d87cd4700b93806f1c9dcd2616c69dbad52d260d0932049a85cb031ffdda7

SHA512
c8d0133848f317e1696f31b477a874b1070e16c67bded21ea88fde0f2f74557cdf9fd4b768a49697f658062a0b64a730e4201075303a9c5f742c6b7e3dbfdb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15d30e9

Filesize
1.4MB

MD5
f3ab30cfa1a6c0e2164e6aee94a8cdb5

SHA1
fef9a5066c65263b9369ad483325461f6a8e23f3

SHA256
1329ad56eb5497dfc1dd72e02149806ad9bcc7daecfc13db2636679e655e4582

SHA512
f7e36a01c34fa172a5f2cff4760eab08000ce1c46490012aa6b71faaead8510e5eb53b2484cf57af0a44eda311f80e2c88b36a0e3046c36d440860f81ebe1f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1ns.0.exe

Filesize
283KB

MD5
329bc43cda762f853095671ec1454c8f

SHA1
ad03097d49c3d5f6f9527036872dc399a27ef4c2

SHA256
77d2045b214ad57a071131305a0dcdcaf51fde050bd0de0ece82d7ccc43ed584

SHA512
240baaaa1330186096cf71d772adfb623a49ddb9ea02ea525bacd59180f38d3209fd2ac48508ad8ff85f302a9487b0fb7ce47f9b3757c76a97d80fb14b8910b3

Download Submit
memory/1620-19-0x0000000000400000-0x0000000001A11000-memory.dmp

Filesize
22.1MB

Download
memory/1620-18-0x0000000000400000-0x0000000001A11000-memory.dmp

Filesize
22.1MB

Download
memory/1620-17-0x0000000001AB0000-0x0000000001AD7000-memory.dmp

Filesize
156KB

Download
memory/1620-16-0x0000000001B00000-0x0000000001C00000-memory.dmp

Filesize
1024KB

Download
memory/1836-151-0x00007FF8D0A50000-0x00007FF8D0C45000-memory.dmp

Filesize
2.0MB

Download
memory/2152-22-0x0000000001BD0000-0x0000000001CD0000-memory.dmp

Filesize
1024KB

Download
memory/2152-2-0x00000000037B0000-0x000000000381E000-memory.dmp

Filesize
440KB

Download
memory/2152-3-0x0000000000400000-0x0000000001A35000-memory.dmp

Filesize
22.2MB

Download
memory/2152-52-0x0000000000400000-0x0000000001A35000-memory.dmp

Filesize
22.2MB

Download
memory/2152-23-0x00000000037B0000-0x000000000381E000-memory.dmp

Filesize
440KB

Download
memory/2152-1-0x0000000001BD0000-0x0000000001CD0000-memory.dmp

Filesize
1024KB

Download
memory/2152-20-0x0000000000400000-0x0000000001A35000-memory.dmp

Filesize
22.2MB

Download
memory/2596-144-0x00007FF8B2810000-0x00007FF8B2982000-memory.dmp

Filesize
1.4MB

Download
memory/2596-147-0x00007FF8B2810000-0x00007FF8B2982000-memory.dmp

Filesize
1.4MB

Download
memory/2596-145-0x00007FF8B2810000-0x00007FF8B2982000-memory.dmp

Filesize
1.4MB

Download
memory/4020-54-0x0000000000400000-0x0000000001ACB000-memory.dmp

Filesize
22.8MB

Download
memory/4020-85-0x00007FF8B2810000-0x00007FF8B2982000-memory.dmp

Filesize
1.4MB

Download
memory/4020-146-0x00007FF8B2810000-0x00007FF8B2982000-memory.dmp

Filesize
1.4MB

Download
memory/4020-60-0x00007FF8B2810000-0x00007FF8B2982000-memory.dmp

Filesize
1.4MB

Download
memory/4020-62-0x00007FF8B2810000-0x00007FF8B2982000-memory.dmp

Filesize
1.4MB

Download
memory/4020-63-0x00007FF8B2810000-0x00007FF8B2982000-memory.dmp

Filesize
1.4MB

Download
memory/4572-108-0x00007FF8B2810000-0x00007FF8B2982000-memory.dmp

Filesize
1.4MB

Download