stealerium | fbb40094f45878374ef62cee6e3e66f3e36922a59ab088a6b3a0b0b50974cd1f

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zezzy_builder.exe
Size

12.9MB
MD5

0bb25992f6b4eca888722b981f4ebb87
SHA1

784b241012c76f3fcbacd150ce511ff34e6cd927
SHA256

fbb40094f45878374ef62cee6e3e66f3e36922a59ab088a6b3a0b0b50974cd1f
SHA512

1082e2c88e48a8cbe222eac9f921601e978a3d2972d7e3b0cfe60ad33b822e805792b07bf30fb296782635dbc48b500e35ea5647a0eb0cce325be1a3fb8a5c08
SSDEEP

393216:vqkSmY83yEkfj4q1+TtIiFUY9Z8D8CcldlV1SNbyKhV:v3yz4q1QtIna8DZcLlfxKhV

Score

10^/10

stealerium pyinstaller stealer

Malware Config

Extracted

Family

stealerium

https://discord.com/api/webhooks/1235963613869772881/HySNirdpxjVl0EyoN6W2CyXKG22djEdq31jQg9sG1hz9kYRSkZeGUsecUeT9JCHJOL23

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Executes dropped EXE 3 IoCs

Processes:

svchost.exeexplorer.exeexplorer.exe

pid process

2172 svchost.exe
2292 explorer.exe
2744 explorer.exe

pid	process
2172	svchost.exe
2292	explorer.exe
2744	explorer.exe

Loads dropped DLL 10 IoCs

Processes:

zezzy_builder.exeexplorer.exeexplorer.exe

pid	process
2836	zezzy_builder.exe
2836	zezzy_builder.exe
2292	explorer.exe
2744	explorer.exe
2744	explorer.exe
2744	explorer.exe
2744	explorer.exe
2744	explorer.exe
2744	explorer.exe
2744	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 discord.com
5 discord.com

flow	ioc
4	discord.com
5	discord.com

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\explorer.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1788 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1132 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost.exe

pid process

2172 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2172 svchost.exe
Token: SeDebugPrivilege 1132 taskkill.exe

pid	process
1788	timeout.exe

pid	process
1132	taskkill.exe

pid	process
2172	svchost.exe

description	pid	process
Token: SeDebugPrivilege	2172	svchost.exe
Token: SeDebugPrivilege	1132	taskkill.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

zezzy_builder.exeexplorer.exesvchost.execmd.exe

description	pid	process	target process
PID 2836 wrote to memory of 2172	2836	zezzy_builder.exe	svchost.exe
PID 2836 wrote to memory of 2172	2836	zezzy_builder.exe	svchost.exe
PID 2836 wrote to memory of 2172	2836	zezzy_builder.exe	svchost.exe
PID 2836 wrote to memory of 2172	2836	zezzy_builder.exe	svchost.exe
PID 2836 wrote to memory of 2292	2836	zezzy_builder.exe	explorer.exe
PID 2836 wrote to memory of 2292	2836	zezzy_builder.exe	explorer.exe
PID 2836 wrote to memory of 2292	2836	zezzy_builder.exe	explorer.exe
PID 2836 wrote to memory of 2292	2836	zezzy_builder.exe	explorer.exe
PID 2292 wrote to memory of 2744	2292	explorer.exe	explorer.exe
PID 2292 wrote to memory of 2744	2292	explorer.exe	explorer.exe
PID 2292 wrote to memory of 2744	2292	explorer.exe	explorer.exe
PID 2172 wrote to memory of 2352	2172	svchost.exe	cmd.exe
PID 2172 wrote to memory of 2352	2172	svchost.exe	cmd.exe
PID 2172 wrote to memory of 2352	2172	svchost.exe	cmd.exe
PID 2172 wrote to memory of 2352	2172	svchost.exe	cmd.exe
PID 2352 wrote to memory of 564	2352	cmd.exe	chcp.com
PID 2352 wrote to memory of 564	2352	cmd.exe	chcp.com
PID 2352 wrote to memory of 564	2352	cmd.exe	chcp.com
PID 2352 wrote to memory of 564	2352	cmd.exe	chcp.com
PID 2352 wrote to memory of 1132	2352	cmd.exe	taskkill.exe
PID 2352 wrote to memory of 1132	2352	cmd.exe	taskkill.exe
PID 2352 wrote to memory of 1132	2352	cmd.exe	taskkill.exe
PID 2352 wrote to memory of 1132	2352	cmd.exe	taskkill.exe
PID 2352 wrote to memory of 1788	2352	cmd.exe	timeout.exe
PID 2352 wrote to memory of 1788	2352	cmd.exe	timeout.exe
PID 2352 wrote to memory of 1788	2352	cmd.exe	timeout.exe
PID 2352 wrote to memory of 1788	2352	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe
"C:\Users\Admin\AppData\Local\Temp\zezzy_builder.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4FBE.tmp.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:564

C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 2172
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
4⤵
- Delays execution with timeout.exe
PID:1788

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4EF2.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22922\api-ms-win-core-file-l1-2-0.dll
Filesize
22KB

MD5
5aa63c15230b86310056a7dd1d9dc82b

SHA1
c96526190b93053f7521fe48a2171644d136f68d

SHA256
13f5e092d2db88b17e3e8fc9c0cc659c7d3816c161fa276dbde6fcf8c26311ad

SHA512
9a62dde3a5d4763a28a3cb6f78b0d35525b4d5ecc51716e4f68853fbe9ef6f389d1b13f4500dbca1dc8e2891d6062c7ac70087a79aff22e004c301cfdb7e91bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22922\api-ms-win-core-timezone-l1-1-0.dll
Filesize
22KB

MD5
fa86f68762f0cd75312afd7d5c47df16

SHA1
46588f341e6fec08c6439adb0351bc34340ff89e

SHA256
407e5400dbdb2df0ba00b471464ae781588ab566c3e11957cc01efad4a8e1e1b

SHA512
dc3f77ad906390bf50a7a319cb03fbfb8894515c0d0ce21c03bfd7acff1df991511f4d2f6693760b98d497b44837d1b3b0bfca72cf998dbfce8d9b4863997131

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22922\python312.dll
Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22922\ucrtbase.dll
Filesize
1.1MB

MD5
d7e7a4c519004d1558fcab9e9eb371a3

SHA1
133d0745f0f6f720c019c9bdcaf1a2ea6ddd21cc

SHA256
7773484bd0ecf89bec67619a38ac73167c2d8cf40613d68a773c07955bcaa94f

SHA512
07557ebf82ae51ee678fe88570f48a011bcdcbcf58504c4b51e9d0f3faf481a63d236c3c4c55c96371de1dde81e881a7fbed828e1ba11b280a9cd42ba11b7344

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4FBE.tmp.bat
Filesize
57B

MD5
451cec8fc99f52f19b27c3f3a87243dc

SHA1
2cdd8b837a3ceb19605279397b537202cc05c406

SHA256
ffb61f43de7f7a675545269970bdc306eae181300467da4bb93a2313cf56a3be

SHA512
5d9573749c252aace1cdf64b617836eb0df563a2737019f8c0e003cc0712ea3320d0b0e9291f4bd50add6121748310abb76300d511b2a3c6bc1cafa3ce7f34c4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22922\api-ms-win-core-file-l2-1-0.dll
Filesize
22KB

MD5
11c308210b76b97471b325ab28cd4da6

SHA1
75d423531e1cb8b8ba147cd6263d2fa45321521a

SHA256
71bbc4c856aefd56a6273d5b5509cbc9389ceb99e6109342f46d55954a662abc

SHA512
0d50a2c49e5faab76dbafdffecdf9f465e0648cd68f8fb66cbb414f4cd9cd4da0ee228c46efc4cd4ee28039f463e686676e43f4f92471445fd578e8a2eff270f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22922\api-ms-win-core-localization-l1-2-0.dll
Filesize
22KB

MD5
c643ebfede7ae34fa29571dc5a14a917

SHA1
820b875318de9f368c153678c71810c69c07be4f

SHA256
619143dd552b5e47f6c2fd9585d8d7b89ec34b1adce17945ea362fec986f23a9

SHA512
c1514622fe81bd36256a14030192a1d9b662157893e8cc3fc9a0519295e6d8b5dd59d7a04fdcc3f89a705e6f5b13e0f09a1b778281a361c82a74db467d3efb3e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22922\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
22KB

MD5
43d4d038146c4be8ed2c06e1db7ba886

SHA1
1aca2239158574d810695a1942d1afabf737dcfc

SHA256
7b8da89fb25b02280a0c378a536a966bb1050d69ac25980cfd68a7483d7fa982

SHA512
3d34fb8f70772fcc0e7d7405a24fc9075002352ab4c8a3a09e15c60958ed48e4f955cec7a46aead99667b924449f16dc3d41c418044ca08bc1f9a473e0e7eb55

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
11.2MB

MD5
ab2200a32cc9b4ca9482a8c5c1f02ec7

SHA1
d6bf0fdbb707003772bc26f96de35a5875846cec

SHA256
d2698f6ebf00ae0975c0f4b441381bdedfc2612f79b2fd221542bf18560aa650

SHA512
8535e7bf34aa649e7d56cba1ffc80c08f919686b88da037ef920abbbd8d602a54ebea433c85fc0a2f3948ca0ab08fbf4e9de3fe5f86326aee85cdf4f66a5bc29

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.6MB

MD5
b9e0f12dac33aeacd4c95a89d3084a66

SHA1
2ad8173c61907a949e5b0c0d60064336b12583c3

SHA256
3520bdc6dd768a63a429517e4270740b514387835fe4a4918fd14cd6e47fdd24

SHA512
4c57c55123edbae3862b3b028ffb2927202558264933f8c89924185bc9199a524d5e1da81125a72d76a06110de3f76c0e682db97221ab96729df01d462dd3e52

Download Submit
memory/2172-14-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-136-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-140-0x00000000056E0000-0x0000000005772000-memory.dmp

Filesize
584KB

Download
memory/2172-141-0x0000000000480000-0x00000000004A6000-memory.dmp

Filesize
152KB

Download
memory/2172-142-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/2172-10-0x0000000000860000-0x00000000009F4000-memory.dmp

Filesize
1.6MB

Download
memory/2172-281-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2836-0-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/2836-1-0x0000000000C80000-0x000000000196E000-memory.dmp

Filesize
12.9MB

Download