stealc | 06eeea67da42a6fc54b4f0dc845dba6e86dbc967491741d559506871cb06086b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-04-2024 23:21

Target

2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
Size

2.9MB
MD5

0f199baaa2378448502c71cc553f0c45
SHA1

58cae81efd680ab12624e4afdd36c996ec7ebdf8
SHA256

06eeea67da42a6fc54b4f0dc845dba6e86dbc967491741d559506871cb06086b
SHA512

5cdfff0aa550d1d0f8713ab444b1337b1025dfaa3d33beea29a996c27fe7ce1ac3ae694e5bca024f77277612b14c874229086681d94fbeb480c6d4f236ea2394
SSDEEP

49152:/xziQCveAr+JfGTr25Ohf2s8n/QDHT4TgjIgrajGlkI08:liPveO+QTrp2sLjT49grvOI0

Score

10^/10

stealc stealer

Family

stealc

http://89.105.201.132

Attributes

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Suspicious use of SetThreadContext 1 IoCs

Processes:

2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe

description pid process target process

PID 948 set thread context of 2536 948 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe cmd.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.execmd.exe

pid process

948 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
948 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
2536 cmd.exe
2536 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.execmd.exe

pid process

948 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
2536 cmd.exe

description	pid	process	target process
PID 948 set thread context of 2536	948	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe	cmd.exe

pid	process
948	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
2536	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.execmd.exe

description	pid	process	target process
PID 948 wrote to memory of 2536	948	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe	cmd.exe
PID 948 wrote to memory of 2536	948	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe	cmd.exe
PID 948 wrote to memory of 2536	948	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe	cmd.exe
PID 948 wrote to memory of 2536	948	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe	cmd.exe
PID 948 wrote to memory of 2536	948	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe	cmd.exe
PID 2536 wrote to memory of 2256	2536	cmd.exe	explorer.exe
PID 2536 wrote to memory of 2256	2536	cmd.exe	explorer.exe
PID 2536 wrote to memory of 2256	2536	cmd.exe	explorer.exe
PID 2536 wrote to memory of 2256	2536	cmd.exe	explorer.exe
PID 2536 wrote to memory of 2256	2536	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\8b5df7d7
Filesize
829KB

MD5
0194b1947fa04252465c87512d0a50c6

SHA1
619db8871f675a345fc9c1b4f1f01147a4685b51

SHA256
76f113b658afc74684ff08c1fef66d23b383dcda565bc0f99ff6cbc5776d3a7a

SHA512
fe8bc5c73841f5dd79a022a3147578f0aa8ea8665c0aedef0e3706431a87522c8d057eda334fe74fa12469564382c334242dfb7c70f28cc39e31294c5efe27c6

Download Submit
memory/948-1-0x000007FEF73D0000-0x000007FEF7528000-memory.dmp

Filesize
1.3MB

Download
memory/948-2-0x000007FEF73D0000-0x000007FEF7528000-memory.dmp

Filesize
1.3MB

Download
memory/948-3-0x000007FEF73D0000-0x000007FEF7528000-memory.dmp

Filesize
1.3MB

Download
memory/2256-12-0x0000000077C70000-0x0000000077E19000-memory.dmp

Filesize
1.7MB

Download
memory/2256-11-0x0000000000670000-0x00000000008AC000-memory.dmp

Filesize
2.2MB

Download
memory/2256-13-0x0000000000670000-0x00000000008AC000-memory.dmp

Filesize
2.2MB

Download
memory/2256-16-0x00000000003E0000-0x0000000000661000-memory.dmp

Filesize
2.5MB

Download
memory/2256-18-0x0000000000670000-0x00000000008AC000-memory.dmp

Filesize
2.2MB

Download
memory/2536-7-0x00000000754B0000-0x0000000075624000-memory.dmp

Filesize
1.5MB

Download
memory/2536-8-0x00000000754B0000-0x0000000075624000-memory.dmp

Filesize
1.5MB

Download
memory/2536-10-0x00000000754B0000-0x0000000075624000-memory.dmp

Filesize
1.5MB

Download
memory/2536-6-0x0000000077C70000-0x0000000077E19000-memory.dmp

Filesize
1.7MB

Download