Overview

overview

10

Static

static

10

nllauncher.exe

windows7-x64

10

nllauncher.exe

windows10-1703-x64

10

nllauncher.exe

windows10-2004-x64

10

nllauncher.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    14s
  • max time network
    17s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-05-2024 15:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nllauncher.exe

  • Size

    1.6MB

  • MD5

    8d19556ec36067d8cd6aca0181a60d6f

  • SHA1

    d6b7827a278bde0072c6502137f3b48cd3c6fdd8

  • SHA256

    27fc27dc8fd2f14c597932236924b9bd221cbdf62e751b06654566df17e20e80

  • SHA512

    283ef56c211e43a850a7e08ea30da18f1aa5cec00636c48780d52cd1d350fe174b0ca9f3d6d9a92db72fe87b2822073703884aab999dc04821fbdf7c71369eea

  • SSDEEP

    49152:EcTq24GjdGSiqkqXfd+/9AqYanieKdY9:E9EjdGSiqkqXf0FLYW

Score
10/10
stealeriumcollectionspywarestealer

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1085818065360535573/7X1FOgIeWfvo7Wm1i-5gmDKJfqx3bk315y0D-XXNtRIcxGsl95D_Vbwjx7jAmP_WpkUA

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nllauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\nllauncher.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:584
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:1636
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:4688
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:4736
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 2868
            2⤵
            • Program crash
            PID:3660
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3384
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:3060
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:3420
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 584 -ip 584
              1⤵
                PID:2016
              • C:\Windows\system32\msiexec.exe
                C:\Windows\system32\msiexec.exe /V
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4672

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Unsecured Credentials

              1
              T1552

              Credentials In Files

              1
              T1552.001

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Email Collection

              1
              T1114

              Exfiltration

              Command and Control

              Web Service

              1
              T1102

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\e956dbf134d6a3785958acaeeb19db8a\Admin@GNMGPFVO_en-US\Browsers\Firefox\Bookmarks.txt
                Filesize

                105B

                MD5

                2e9d094dda5cdc3ce6519f75943a4ff4

                SHA1

                5d989b4ac8b699781681fe75ed9ef98191a5096c

                SHA256

                c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                SHA512

                d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

                Download Submit
              • memory/584-9-0x00000000057B0000-0x00000000057B8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/584-2-0x00000000051B0000-0x0000000005216000-memory.dmp
                Filesize

                408KB

                Download
              • memory/584-3-0x0000000074890000-0x0000000075041000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/584-7-0x00000000056F0000-0x0000000005782000-memory.dmp
                Filesize

                584KB

                Download
              • memory/584-8-0x0000000005780000-0x00000000057A6000-memory.dmp
                Filesize

                152KB

                Download
              • memory/584-0-0x000000007489E000-0x000000007489F000-memory.dmp
                Filesize

                4KB

                Download
              • memory/584-10-0x00000000066D0000-0x00000000066DA000-memory.dmp
                Filesize

                40KB

                Download
              • memory/584-11-0x00000000066E0000-0x00000000066E8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/584-12-0x0000000006700000-0x000000000671E000-memory.dmp
                Filesize

                120KB

                Download
              • memory/584-1-0x0000000000560000-0x00000000006F4000-memory.dmp
                Filesize

                1.6MB

                Download
              • memory/584-69-0x00000000068E0000-0x0000000006972000-memory.dmp
                Filesize

                584KB

                Download
              • memory/584-74-0x0000000007630000-0x0000000007BD6000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/584-83-0x0000000074890000-0x0000000075041000-memory.dmp
                Filesize

                7.7MB

                Download