stealerium | 1d0a104ed7ac079e1d15b29288eab5c9fdd6691817b37ed7fff8af14c378b9d4

Analysis

max time kernel
32s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

macspoof.exe
Size

1.6MB
MD5

e7b2f3e0b794bf5fa93620cf7d0493f3
SHA1

841a92af5c5c71a27379ad1e9acd426d0c4739b4
SHA256

1d0a104ed7ac079e1d15b29288eab5c9fdd6691817b37ed7fff8af14c378b9d4
SHA512

1d96b921857c559071a8a4fb19780126b594f85cd3464d1d8755d0bafc30d8e8baed6dd22446ffa92d9edcea932724931336598aa8d13c1f9cf1648ced796c3a
SSDEEP

24576:zi2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgL4L:2Tq24GjdGSiqkqXfd+/9AqYanieKd

Score

10^/10

stealerium stealer

Malware Config

Extracted

Family

stealerium

bc1qea9m68q0zex4gpp8wgpaswg6hd03skjlap4j74

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

macspoof.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation macspoof.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

30 discord.com
31 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2820 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4400 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

macspoof.exe

pid process

1108 macspoof.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

macspoof.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1108 macspoof.exe
Token: SeDebugPrivilege 4400 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	macspoof.exe

flow	ioc
30	discord.com
31	discord.com

pid	process
2820	timeout.exe

pid	process
4400	taskkill.exe

pid	process
1108	macspoof.exe

description	pid	process
Token: SeDebugPrivilege	1108	macspoof.exe
Token: SeDebugPrivilege	4400	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

macspoof.execmd.exe

description	pid	process	target process
PID 1108 wrote to memory of 4996	1108	macspoof.exe	cmd.exe
PID 1108 wrote to memory of 4996	1108	macspoof.exe	cmd.exe
PID 1108 wrote to memory of 4996	1108	macspoof.exe	cmd.exe
PID 4996 wrote to memory of 1404	4996	cmd.exe	chcp.com
PID 4996 wrote to memory of 1404	4996	cmd.exe	chcp.com
PID 4996 wrote to memory of 1404	4996	cmd.exe	chcp.com
PID 4996 wrote to memory of 4400	4996	cmd.exe	taskkill.exe
PID 4996 wrote to memory of 4400	4996	cmd.exe	taskkill.exe
PID 4996 wrote to memory of 4400	4996	cmd.exe	taskkill.exe
PID 4996 wrote to memory of 2820	4996	cmd.exe	timeout.exe
PID 4996 wrote to memory of 2820	4996	cmd.exe	timeout.exe
PID 4996 wrote to memory of 2820	4996	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\macspoof.exe
"C:\Users\Admin\AppData\Local\Temp\macspoof.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4FE5.tmp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1404

C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 1108
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
3⤵
- Delays execution with timeout.exe
PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4FE5.tmp.bat
Filesize
57B

MD5
aba42da69ad4e45bc411147ccdb8816c

SHA1
c2da03a6b24901c3b218e2c48ca44e9db5d6e9c0

SHA256
b4f7b26167283873fa1717d26a942d756584429712ef4bdeb1c246f1883bbb5c

SHA512
ca0362c17871ffa7e512e8a7bf391d75e29a2794324c5d469152fdd0da3e2629540c5bd133dbce06725048df7f8c56c300c77567006e31db50f5a1838410a470

Download Submit
memory/1108-0-0x000000007482E000-0x000000007482F000-memory.dmp

Filesize
4KB

Download
memory/1108-1-0x00000000006C0000-0x0000000000856000-memory.dmp

Filesize
1.6MB

Download
memory/1108-2-0x00000000051F0000-0x0000000005256000-memory.dmp

Filesize
408KB

Download
memory/1108-3-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/1108-6-0x0000000005860000-0x00000000058F2000-memory.dmp

Filesize
584KB

Download
memory/1108-7-0x00000000058F0000-0x0000000005916000-memory.dmp

Filesize
152KB

Download
memory/1108-8-0x0000000005930000-0x0000000005938000-memory.dmp

Filesize
32KB

Download
memory/1108-13-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download