stealerium | cac65612657f8286cbc762e58b140881b133b06bdfecf70970dd1b4ebca05200

Analysis

max time kernel
101s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new.exe
Size

1.6MB
MD5

63acc4e186a38ca51588c82988f245ce
SHA1

a5a1279bb1b13aae2f9fcf762b85b12edaebaaab
SHA256

cac65612657f8286cbc762e58b140881b133b06bdfecf70970dd1b4ebca05200
SHA512

633526dd11c8c22ddaa33fd19cb1fb06d9bcf30f8a4d1e0ef914ac2af1800a24f844f88614725247720251b41519653ebf234e05110f0a37d737a281b1de674a
SSDEEP

24576:li2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgL4B:MTq24GjdGSiqkqXfd+/9AqYanieKd

Score

10^/10

stealerium stealer

Malware Config

Extracted

Family

stealerium

bc1qea9m68q0zex4gpp8wgpaswg6hd03skjlap4j74

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

new.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation new.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

24 discord.com
25 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2512 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4012 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

new.exe

pid process

3964 new.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

new.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 3964 new.exe
Token: SeDebugPrivilege 4012 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	new.exe

flow	ioc
24	discord.com
25	discord.com

pid	process
2512	timeout.exe

pid	process
4012	taskkill.exe

pid	process
3964	new.exe

description	pid	process
Token: SeDebugPrivilege	3964	new.exe
Token: SeDebugPrivilege	4012	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

new.execmd.exe

description	pid	process	target process
PID 3964 wrote to memory of 4456	3964	new.exe	cmd.exe
PID 3964 wrote to memory of 4456	3964	new.exe	cmd.exe
PID 3964 wrote to memory of 4456	3964	new.exe	cmd.exe
PID 4456 wrote to memory of 2212	4456	cmd.exe	chcp.com
PID 4456 wrote to memory of 2212	4456	cmd.exe	chcp.com
PID 4456 wrote to memory of 2212	4456	cmd.exe	chcp.com
PID 4456 wrote to memory of 4012	4456	cmd.exe	taskkill.exe
PID 4456 wrote to memory of 4012	4456	cmd.exe	taskkill.exe
PID 4456 wrote to memory of 4012	4456	cmd.exe	taskkill.exe
PID 4456 wrote to memory of 2512	4456	cmd.exe	timeout.exe
PID 4456 wrote to memory of 2512	4456	cmd.exe	timeout.exe
PID 4456 wrote to memory of 2512	4456	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\new.exe
"C:\Users\Admin\AppData\Local\Temp\new.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5C87.tmp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:2212

C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 3964
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
3⤵
- Delays execution with timeout.exe
PID:2512

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5C87.tmp.bat
Filesize
57B

MD5
84366af9d199b24104065d38216bb1cf

SHA1
9c30dcfdda6b29a9fc4c030e1ea575994a669488

SHA256
46fb33f5e30a76d2bdd2e135818074178fd66e2fb6289111afec0ed1fbaa5240

SHA512
d4f639ab36fd24409b69ca5f5f0657f3200501a20f4044e061e87ab359f0e9ad0739b3b2751106c44a76bbeec1584b8d442dc17382d06f9a0f8a4270f09e7f3f

Download Submit
memory/3964-0-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

Filesize
4KB

Download
memory/3964-1-0x0000000000320000-0x00000000004B6000-memory.dmp

Filesize
1.6MB

Download
memory/3964-2-0x0000000004E50000-0x0000000004EB6000-memory.dmp

Filesize
408KB

Download
memory/3964-3-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/3964-6-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/3964-7-0x0000000004F40000-0x0000000004F66000-memory.dmp

Filesize
152KB

Download
memory/3964-8-0x0000000005590000-0x0000000005598000-memory.dmp

Filesize
32KB

Download
memory/3964-13-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download