Malware Analysis Report

2024-08-06 12:40

Sample ID 240504-tm3bdadg29
Target build.exe
SHA256 1d0a104ed7ac079e1d15b29288eab5c9fdd6691817b37ed7fff8af14c378b9d4
Tags
stealerium stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d0a104ed7ac079e1d15b29288eab5c9fdd6691817b37ed7fff8af14c378b9d4

Threat Level: Known bad

The file build.exe was found to be: Known bad.

Malicious Activity Summary

stealerium stealer

Stealerium

Stealerium family

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Kills process with taskkill

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-04 16:11

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 16:11

Reported

2024-05-04 16:13

Platform

win10v2004-20240419-en

Max time kernel

125s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\build.exe"

Signatures

Stealerium

stealer stealerium

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 396 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 3256 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3256 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3256 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3256 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3256 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3256 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6040.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 396

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 88.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/396-0-0x00000000751AE000-0x00000000751AF000-memory.dmp

memory/396-1-0x0000000000950000-0x0000000000AE6000-memory.dmp

memory/396-2-0x0000000005360000-0x00000000053C6000-memory.dmp

memory/396-3-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/396-6-0x00000000059A0000-0x0000000005A32000-memory.dmp

memory/396-7-0x0000000005A30000-0x0000000005A56000-memory.dmp

memory/396-8-0x0000000005A80000-0x0000000005A88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6040.tmp.bat

MD5 9ff71c9e0971c54ad2be7ffc4a55ae0e
SHA1 9feeec91d12541a041d7c5745f4e567cef31c3ef
SHA256 6741dd14ecdedbcc4da21d9c867a1dbc5ebdb7863039948de628f565103763ce
SHA512 549a93f70d12d9f1248bc203ba4b50d5a59b44310e401aef7742cdbe25b71de94c24b73d0e874c567fde7d01af49c564ddccdbbb47a502c093758f7031fc2f48

memory/396-13-0x00000000751A0000-0x0000000075950000-memory.dmp