stealerium | d1a3088999bfbf99d96ff4944b96fe7ab20e569b827c68f2c4e6671c1caf4de7

Analysis

max time kernel
7s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub.exe
Size

1.6MB
MD5

031ddc992de5dc816303b7a6af716556
SHA1

1581966ddb51d6af46b2b1deb4169a80c4894836
SHA256

d1a3088999bfbf99d96ff4944b96fe7ab20e569b827c68f2c4e6671c1caf4de7
SHA512

5e4763fa48250b2ccf61e0bf8d430779509692834813139ee6de11706b8be20ef16d25fd81138b169af66fcc85de89a0b39f1baa576f0b419c213e7d89cc5689
SSDEEP

24576:Cdi2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLaU:CUTq24GjdGSiqkqXfd+/9AqYanieKd

Score

10^/10

stealerium stealer

Malware Config

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

31 discord.com
32 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3340 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

892 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

stub.exe

pid process

2224 stub.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

stub.exe

description pid process

Token: SeDebugPrivilege 2224 stub.exe

flow	ioc
31	discord.com
32	discord.com

pid	process
3340	timeout.exe

pid	process
892	taskkill.exe

pid	process
2224	stub.exe

description	pid	process
Token: SeDebugPrivilege	2224	stub.exe

C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp563E.tmp.bat
2⤵
PID:4204

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:988

C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 2224
3⤵
- Kills process with taskkill
PID:892

C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
3⤵
- Delays execution with timeout.exe
PID:3340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp563E.tmp.bat
Filesize
57B

MD5
fb471286e9fee748d15ea11e6e345c4d

SHA1
81bc710a89c97377494e8dc67abccc31f2942df1

SHA256
1b5ede5f18ea4128cb6360a35505a1f08fd854875fe2648265d32e9825740d65

SHA512
4b49ded394245c241642009d63a79cfd4cc2b0dbd958f7f0983ffd5c9aff649525e5f98608315fc9914fd7be76b07edfa9d7c4c0481691fcb9479a3f1206a28c

Download Submit
memory/2224-0-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

Filesize
4KB

Download
memory/2224-1-0x00000000008F0000-0x0000000000A86000-memory.dmp

Filesize
1.6MB

Download
memory/2224-2-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/2224-3-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/2224-6-0x0000000005A90000-0x0000000005B22000-memory.dmp

Filesize
584KB

Download
memory/2224-8-0x0000000005B60000-0x0000000005B68000-memory.dmp

Filesize
32KB

Download
memory/2224-7-0x0000000005B20000-0x0000000005B46000-memory.dmp

Filesize
152KB

Download
memory/2224-13-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download