stealerium | b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b

General

Target

b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe
Size

1.6MB
MD5

1250f8db37edf8344bf2d4b85998b319
SHA1

3be39f97dafc08a07805529a7e7986afd9903cf1
SHA256

b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b
SHA512

87cd2478e86d91b640b5265c98b1e7499378768e8c255679b57f34eb2f08525e8435d92b304011ed26a38799739f4eb355bf514b1982dc14dbd5900a0b4dc741
SSDEEP

49152:eLTq24GjdGSiqkqXfd+/9AqYanieKdQH:eiEjdGSiqkqXf0FLYW

Score

10^/10

stealerium stealer

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1236288178802135147/P2iZLzB_oNJFDenlHnHhz96DQUs2xxEf_VjLdUsuQkmmrMTuE9UJ6YfWkmHmfxN_m61i

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4848-1-0x0000000000B40000-0x0000000000CD2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects executables manipulated with Fody 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4848-1-0x0000000000B40000-0x0000000000CD2000-memory.dmp	INDICATOR_EXE_Packed_Fody

Detects executables referencing Discord tokens regular expressions 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4848-1-0x0000000000B40000-0x0000000000CD2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex

Detects executables referencing credit card regular expressions 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4848-1-0x0000000000B40000-0x0000000000CD2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_CC_Regex

Detects executables referencing many VPN software clients. Observed in infosteslers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4848-1-0x0000000000B40000-0x0000000000CD2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_VPN

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4848-1-0x0000000000B40000-0x0000000000CD2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4848-1-0x0000000000B40000-0x0000000000CD2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables with interest in wireless interface using netsh 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4848-1-0x0000000000B40000-0x0000000000CD2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

26 discord.com
27 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4304 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1292 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe

pid process

4848 b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe

flow	ioc
26	discord.com
27	discord.com

pid	process
4304	timeout.exe

pid	process
1292	taskkill.exe

pid	process
4848	b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4848	b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe
Token: SeDebugPrivilege	1292	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.execmd.exe

description	pid	process	target process
PID 4848 wrote to memory of 3284	4848	b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe	cmd.exe
PID 4848 wrote to memory of 3284	4848	b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe	cmd.exe
PID 4848 wrote to memory of 3284	4848	b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe	cmd.exe
PID 3284 wrote to memory of 1136	3284	cmd.exe	chcp.com
PID 3284 wrote to memory of 1136	3284	cmd.exe	chcp.com
PID 3284 wrote to memory of 1136	3284	cmd.exe	chcp.com
PID 3284 wrote to memory of 1292	3284	cmd.exe	taskkill.exe
PID 3284 wrote to memory of 1292	3284	cmd.exe	taskkill.exe
PID 3284 wrote to memory of 1292	3284	cmd.exe	taskkill.exe
PID 3284 wrote to memory of 4304	3284	cmd.exe	timeout.exe
PID 3284 wrote to memory of 4304	3284	cmd.exe	timeout.exe
PID 3284 wrote to memory of 4304	3284	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe
"C:\Users\Admin\AppData\Local\Temp\b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5D62.tmp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1136

C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 4848
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
3⤵
- Delays execution with timeout.exe
PID:4304

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5D62.tmp.bat
Filesize
57B

MD5
0998d926b0b6feee262bc549214fe993

SHA1
a4872067d9695a2137c9375def30e84bd2d7470d

SHA256
842e3fc82905cc4f42416acd0c9cc2b5e593a8a719c4e822706f1abf5de3d6a0

SHA512
23a81de0831dc796bced38281309cca46f64ed6eb92c38e0bec91e93c1f98fc69e844cacbbc1246b9e9f45b69ebedf09cff9220521fddd3942885b65994b3eea

Download Submit
memory/4848-0-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/4848-1-0x0000000000B40000-0x0000000000CD2000-memory.dmp

Filesize
1.6MB

Download
memory/4848-2-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/4848-3-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4848-7-0x0000000005BF0000-0x0000000005C82000-memory.dmp

Filesize
584KB

Download
memory/4848-8-0x0000000005C80000-0x0000000005CA6000-memory.dmp

Filesize
152KB

Download
memory/4848-9-0x0000000005CB0000-0x0000000005CB8000-memory.dmp

Filesize
32KB

Download
memory/4848-14-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads