Overview

overview

10

Static

static

10

2024-04-30...uk.exe

windows7-x64

10

2024-04-30...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30-04-2024 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe

  • Size

    2.9MB

  • MD5

    0f199baaa2378448502c71cc553f0c45

  • SHA1

    58cae81efd680ab12624e4afdd36c996ec7ebdf8

  • SHA256

    06eeea67da42a6fc54b4f0dc845dba6e86dbc967491741d559506871cb06086b

  • SHA512

    5cdfff0aa550d1d0f8713ab444b1337b1025dfaa3d33beea29a996c27fe7ce1ac3ae694e5bca024f77277612b14c874229086681d94fbeb480c6d4f236ea2394

  • SSDEEP

    49152:/xziQCveAr+JfGTr25Ohf2s8n/QDHT4TgjIgrajGlkI08:liPveO+QTrp2sLjT49grvOI0

Score
10/10
stealcstealer

Malware Config

Extracted

Family

stealc

C2

http://89.105.201.132

Attributes
  • url_path

    /c44a765f550f6a2f.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
          PID:2256

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\8b5df7d7
      Filesize

      829KB

      MD5

      0194b1947fa04252465c87512d0a50c6

      SHA1

      619db8871f675a345fc9c1b4f1f01147a4685b51

      SHA256

      76f113b658afc74684ff08c1fef66d23b383dcda565bc0f99ff6cbc5776d3a7a

      SHA512

      fe8bc5c73841f5dd79a022a3147578f0aa8ea8665c0aedef0e3706431a87522c8d057eda334fe74fa12469564382c334242dfb7c70f28cc39e31294c5efe27c6

      Download Submit

    • memory/948-1-0x000007FEF73D0000-0x000007FEF7528000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/948-2-0x000007FEF73D0000-0x000007FEF7528000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/948-3-0x000007FEF73D0000-0x000007FEF7528000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2256-12-0x0000000077C70000-0x0000000077E19000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2256-11-0x0000000000670000-0x00000000008AC000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2256-13-0x0000000000670000-0x00000000008AC000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2256-16-0x00000000003E0000-0x0000000000661000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2256-18-0x0000000000670000-0x00000000008AC000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2536-7-0x00000000754B0000-0x0000000075624000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2536-8-0x00000000754B0000-0x0000000075624000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2536-10-0x00000000754B0000-0x0000000075624000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2536-6-0x0000000077C70000-0x0000000077E19000-memory.dmp

      Filesize

      1.7MB

      Download