stealc | 06eeea67da42a6fc54b4f0dc845dba6e86dbc967491741d559506871cb06086b

Analysis

max time kernel
66s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
Size

2.9MB
MD5

0f199baaa2378448502c71cc553f0c45
SHA1

58cae81efd680ab12624e4afdd36c996ec7ebdf8
SHA256

06eeea67da42a6fc54b4f0dc845dba6e86dbc967491741d559506871cb06086b
SHA512

5cdfff0aa550d1d0f8713ab444b1337b1025dfaa3d33beea29a996c27fe7ce1ac3ae694e5bca024f77277612b14c874229086681d94fbeb480c6d4f236ea2394
SSDEEP

49152:/xziQCveAr+JfGTr25Ohf2s8n/QDHT4TgjIgrajGlkI08:liPveO+QTrp2sLjT49grvOI0

Score

10^/10

stealc stealer

Malware Config

Extracted

Family

stealc

http://89.105.201.132

Attributes

url_path
/c44a765f550f6a2f.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Suspicious use of SetThreadContext 1 IoCs

Processes:

2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe

description pid process target process

PID 1416 set thread context of 3592 1416 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe cmd.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.execmd.exe

pid process

1416 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
1416 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
3592 cmd.exe
3592 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.execmd.exe

pid process

1416 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
3592 cmd.exe

description	pid	process	target process
PID 1416 set thread context of 3592	1416	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe	cmd.exe

pid	process
1416	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
1416	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
3592	cmd.exe
3592	cmd.exe

pid	process
1416	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
3592	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.execmd.exe

description	pid	process	target process
PID 1416 wrote to memory of 3592	1416	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe	cmd.exe
PID 1416 wrote to memory of 3592	1416	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe	cmd.exe
PID 1416 wrote to memory of 3592	1416	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe	cmd.exe
PID 1416 wrote to memory of 3592	1416	2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe	cmd.exe
PID 3592 wrote to memory of 3188	3592	cmd.exe	explorer.exe
PID 3592 wrote to memory of 3188	3592	cmd.exe	explorer.exe
PID 3592 wrote to memory of 3188	3592	cmd.exe	explorer.exe
PID 3592 wrote to memory of 3188	3592	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
PID:3188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\78fdf95f
Filesize
829KB

MD5
c51a2b61187e792051d9a68757dbc0f1

SHA1
bf3c9fe31460dbbdd3964d66af3a3b6eae674799

SHA256
48a57aefb468d2b73771d5bae7e364e23d0f5ee633ffcaf139b7d46c766beec8

SHA512
1108fccdad0f7512e97ad647abec4323442eb1ca430f9a2f34b5b320b59d1fe9ef2dbae91be0875c0e76148e43afeb4b473682c7c5d2f3fdf744e5439cb16f82

Download Submit
memory/1416-1-0x00007FFAA3F30000-0x00007FFAA40A2000-memory.dmp

Filesize
1.4MB

Download
memory/1416-2-0x00007FFAA3F30000-0x00007FFAA40A2000-memory.dmp

Filesize
1.4MB

Download
memory/1416-3-0x00007FFAA3F30000-0x00007FFAA40A2000-memory.dmp

Filesize
1.4MB

Download
memory/3188-12-0x00007FFAB2FF0000-0x00007FFAB31E5000-memory.dmp

Filesize
2.0MB

Download
memory/3188-11-0x0000000000B50000-0x0000000000D8C000-memory.dmp

Filesize
2.2MB

Download
memory/3188-13-0x0000000000B50000-0x0000000000D8C000-memory.dmp

Filesize
2.2MB

Download
memory/3188-16-0x0000000000B50000-0x0000000000D8C000-memory.dmp

Filesize
2.2MB

Download
memory/3188-15-0x0000000000110000-0x0000000000543000-memory.dmp

Filesize
4.2MB

Download
memory/3188-17-0x0000000000B50000-0x0000000000D8C000-memory.dmp

Filesize
2.2MB

Download
memory/3592-7-0x0000000074D10000-0x0000000074E8B000-memory.dmp

Filesize
1.5MB

Download
memory/3592-8-0x0000000074D10000-0x0000000074E8B000-memory.dmp

Filesize
1.5MB

Download
memory/3592-10-0x0000000074D10000-0x0000000074E8B000-memory.dmp

Filesize
1.5MB

Download
memory/3592-6-0x00007FFAB2FF0000-0x00007FFAB31E5000-memory.dmp

Filesize
2.0MB

Download