Overview

overview

10

Static

static

10

nllauncher.exe

windows7-x64

10

nllauncher.exe

windows10-1703-x64

10

nllauncher.exe

windows10-2004-x64

10

nllauncher.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    6s
  • max time network
    20s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-05-2024 15:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nllauncher.exe

  • Size

    1.6MB

  • MD5

    8d19556ec36067d8cd6aca0181a60d6f

  • SHA1

    d6b7827a278bde0072c6502137f3b48cd3c6fdd8

  • SHA256

    27fc27dc8fd2f14c597932236924b9bd221cbdf62e751b06654566df17e20e80

  • SHA512

    283ef56c211e43a850a7e08ea30da18f1aa5cec00636c48780d52cd1d350fe174b0ca9f3d6d9a92db72fe87b2822073703884aab999dc04821fbdf7c71369eea

  • SSDEEP

    49152:EcTq24GjdGSiqkqXfd+/9AqYanieKdY9:E9EjdGSiqkqXf0FLYW

Score
10/10
stealeriumstealer

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1085818065360535573/7X1FOgIeWfvo7Wm1i-5gmDKJfqx3bk315y0D-XXNtRIcxGsl95D_Vbwjx7jAmP_WpkUA

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nllauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\nllauncher.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1900
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
        PID:4424
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          3⤵
            PID:1384
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            3⤵
              PID:5004
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              3⤵
                PID:2720
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              2⤵
                PID:1952
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  3⤵
                    PID:2392
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh wlan show networks mode=bssid
                    3⤵
                      PID:5116
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 3472
                    2⤵
                    • Program crash
                    PID:2800
                • C:\Windows\system32\msiexec.exe
                  C:\Windows\system32\msiexec.exe /V
                  1⤵
                    PID:4252

                  Network

                  MITRE ATT&CK Matrix ATT&CK v13

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\25ed305738298a4c9bc0e97ebfd8da5a\Admin@NDTNZVHN_en-US\Browsers\Firefox\Bookmarks.txt
                    Filesize

                    105B

                    MD5

                    2e9d094dda5cdc3ce6519f75943a4ff4

                    SHA1

                    5d989b4ac8b699781681fe75ed9ef98191a5096c

                    SHA256

                    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                    SHA512

                    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log
                    Filesize

                    1003B

                    MD5

                    4cb421c962dde758df969079a1f02068

                    SHA1

                    8ede40e3cf5c8274218ee9096aee5926d64fea14

                    SHA256

                    f65fbe553c5802e795a3ac4e2b03583b021ef04c9355e94653186fd0d0890530

                    SHA512

                    3aa50066736574e5d1b8a49c6f6cd46d484d8369f35ff1ac4256af28b8fed97a52ab37e693fca349e6f69a3f39fa6316707eac782d15f4c258d83acd2b02fec3

                    Download Submit
                  • memory/1900-9-0x00000000054E0000-0x00000000054E8000-memory.dmp
                    Filesize

                    32KB

                    Download
                  • memory/1900-11-0x00000000062B0000-0x00000000062B8000-memory.dmp
                    Filesize

                    32KB

                    Download
                  • memory/1900-0-0x000000007376E000-0x000000007376F000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1900-8-0x00000000054B0000-0x00000000054D6000-memory.dmp
                    Filesize

                    152KB

                    Download
                  • memory/1900-7-0x0000000005320000-0x00000000053B2000-memory.dmp
                    Filesize

                    584KB

                    Download
                  • memory/1900-10-0x00000000062A0000-0x00000000062AA000-memory.dmp
                    Filesize

                    40KB

                    Download
                  • memory/1900-12-0x00000000062D0000-0x00000000062EE000-memory.dmp
                    Filesize

                    120KB

                    Download
                  • memory/1900-3-0x0000000073760000-0x0000000073E4E000-memory.dmp
                    Filesize

                    6.9MB

                    Download
                  • memory/1900-2-0x0000000004DC0000-0x0000000004E26000-memory.dmp
                    Filesize

                    408KB

                    Download
                  • memory/1900-52-0x00000000069E0000-0x0000000006A72000-memory.dmp
                    Filesize

                    584KB

                    Download
                  • memory/1900-1-0x0000000000400000-0x0000000000594000-memory.dmp
                    Filesize

                    1.6MB

                    Download
                  • memory/1900-57-0x00000000072E0000-0x00000000077DE000-memory.dmp
                    Filesize

                    5.0MB

                    Download
                  • memory/1900-92-0x000000007376E000-0x000000007376F000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1900-93-0x0000000073760000-0x0000000073E4E000-memory.dmp
                    Filesize

                    6.9MB

                    Download