Overview

overview

10

Static

static

10

build.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    25s
  • max time network
    27s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29-04-2024 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    build.exe

  • Size

    1.6MB

  • MD5

    07c8d38da8624208313728eb0d497006

  • SHA1

    576c6b9c15d451c805aed2636079d59e80b9d944

  • SHA256

    84b4149d68f1969bc9e8a50defc397211a4cfe6023f2fd0bc5cccd7f4acda7fe

  • SHA512

    024f30c319a96d1bd6482034fd3bf85c15316797e6d60dd693a662bca73fe8d513b34db8b40a1a74149e89659ba0d7c77e38b2acce40bca38c48f1b841d6212b

  • SSDEEP

    49152:HLTq24GjdGSiqkqXfd+/9AqYanieKdQK:HiEjdGSiqkqXf0FLYW

Score
10/10
stealeriumcollectionspywarestealer

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1234510856528728164/nFqIn7bd6bnTFMUgt7PK_8hX3jIZf38JR1mxd-DaAnfjOHNlSmQ03q7xPl-IWfe3ShJJ

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:3428
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:4804
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:2572
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:2892
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1644
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:1440
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:5060
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 3240
                2⤵
                • Program crash
                PID:3700
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4188

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Email Collection

            1
            T1114

            Exfiltration

            Command and Control

            Web Service

            1
            T1102

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\54a6b1a8256a949c1f590d727e9cd425\Admin@DFZPKZRM_en-US\Browsers\Firefox\Bookmarks.txt
              Filesize

              105B

              MD5

              2e9d094dda5cdc3ce6519f75943a4ff4

              SHA1

              5d989b4ac8b699781681fe75ed9ef98191a5096c

              SHA256

              c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

              SHA512

              d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

              Download Submit
            • C:\Users\Admin\AppData\Local\54a6b1a8256a949c1f590d727e9cd425\Admin@DFZPKZRM_en-US\System\Apps.txt
              Filesize

              4KB

              MD5

              2640460603b8200f9cb24cd01275174f

              SHA1

              cd39498cba3d4f4742039a1091731f74db2fa9c0

              SHA256

              94f5ec486f4b2387c004fac0cfc5012c120cb7190c370ed09639056c10c5afcb

              SHA512

              e65173b4cc98aaaf92cc0e2b5446e1854a45253ab0a8e133a1c85a0cfc95beaac6842af432d61accbf9a193f1f711f6dced6a26d699ff1ee21e27ffbc74d6c62

              Download Submit
            • memory/3428-11-0x0000000006AB0000-0x0000000006AB8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/3428-12-0x0000000006AD0000-0x0000000006AEE000-memory.dmp
              Filesize

              120KB

              Download
            • memory/3428-7-0x0000000005B40000-0x0000000005BD2000-memory.dmp
              Filesize

              584KB

              Download
            • memory/3428-8-0x0000000005BD0000-0x0000000005BF6000-memory.dmp
              Filesize

              152KB

              Download
            • memory/3428-9-0x00000000056A0000-0x00000000056A8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/3428-10-0x00000000056B0000-0x00000000056BA000-memory.dmp
              Filesize

              40KB

              Download
            • memory/3428-0-0x0000000000C10000-0x0000000000DA2000-memory.dmp
              Filesize

              1.6MB

              Download
            • memory/3428-3-0x00000000056C0000-0x00000000056D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3428-2-0x00000000055C0000-0x0000000005626000-memory.dmp
              Filesize

              408KB

              Download
            • memory/3428-53-0x0000000007520000-0x00000000075B2000-memory.dmp
              Filesize

              584KB

              Download
            • memory/3428-60-0x0000000007AC0000-0x0000000007FBE000-memory.dmp
              Filesize

              5.0MB

              Download
            • memory/3428-87-0x0000000073430000-0x0000000073B1E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/3428-88-0x00000000056C0000-0x00000000056D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3428-1-0x0000000073430000-0x0000000073B1E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/3428-114-0x0000000073430000-0x0000000073B1E000-memory.dmp
              Filesize

              6.9MB

              Download