Malware Analysis Report

2024-08-06 12:40

Sample ID	240504-txc48seb26
Target	stub.exe
SHA256	d1a3088999bfbf99d96ff4944b96fe7ab20e569b827c68f2c4e6671c1caf4de7
Tags	stealerium stealer

score

10^/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score

10^/10

SHA256

d1a3088999bfbf99d96ff4944b96fe7ab20e569b827c68f2c4e6671c1caf4de7

Threat Level: Known bad

The file stub.exe was found to be: Known bad.

Malicious Activity Summary

stealerium stealer

Stealerium family

Stealerium

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

MITRE ATT&CK Matrix V13

Privilege Escalation

Defense Evasion

Credential Access

System Information Discovery

Lateral Movement

Command and Control

Resource Development

Analysis: static1

Detonation Overview

Reported

2024-05-04 16:25

Signatures

Stealerium family

stealerium

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 16:25

Reported

2024-05-04 16:26

Platform

win10v2004-20240419-en

Max time kernel

7s

Max time network

8s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Signatures

Stealerium

stealer stealerium

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\timeout.exe	N/A

Kills process with taskkill

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\taskkill.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\stub.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\stub.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp563E.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 2224

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	58.55.71.13.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
NL	23.62.61.160:443	www.bing.com	tcp
US	8.8.8.8:53	73.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	205.47.74.20.in-addr.arpa	udp
US	8.8.8.8:53	160.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	discord.com	udp
US	162.159.138.232:443	discord.com	tcp
US	8.8.8.8:53	232.138.159.162.in-addr.arpa	udp

Files

memory/2224-0-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

memory/2224-1-0x00000000008F0000-0x0000000000A86000-memory.dmp

memory/2224-2-0x0000000005430000-0x0000000005496000-memory.dmp

memory/2224-3-0x0000000074AA0000-0x0000000075250000-memory.dmp

memory/2224-6-0x0000000005A90000-0x0000000005B22000-memory.dmp

memory/2224-8-0x0000000005B60000-0x0000000005B68000-memory.dmp

memory/2224-7-0x0000000005B20000-0x0000000005B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp563E.tmp.bat

MD5	fb471286e9fee748d15ea11e6e345c4d
SHA1	81bc710a89c97377494e8dc67abccc31f2942df1
SHA256	1b5ede5f18ea4128cb6360a35505a1f08fd854875fe2648265d32e9825740d65
SHA512	4b49ded394245c241642009d63a79cfd4cc2b0dbd958f7f0983ffd5c9aff649525e5f98608315fc9914fd7be76b07edfa9d7c4c0481691fcb9479a3f1206a28c

memory/2224-13-0x0000000074AA0000-0x0000000075250000-memory.dmp