stealerium | 0bfd8dcff6939b802965612bf404e7f461ed20d834d84b88dd72f3a56fd4cb68

Analysis

max time kernel
93s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56a47f42556978d1a9627243986eb890_NeikiAnalytics.exe
Size

1.6MB
MD5

56a47f42556978d1a9627243986eb890
SHA1

7c67c86fe25a4e30b78f5ffcda8d2b277073d6ba
SHA256

0bfd8dcff6939b802965612bf404e7f461ed20d834d84b88dd72f3a56fd4cb68
SHA512

09b160cf316c7310ee51e91a2d0c01373e67f3750f710d90247414ad78ef7999e760d9a54a4ef253c448b8117e611a66ca41bffefebb3b875e4795a675ac986f
SSDEEP

49152:JkTq24GjdGSiqkqXfd+/9AqYanieKds+:J1EjdGSiqkqXf0FLYW

Score

10^/10

stealerium stealer

Malware Config

Extracted

Family

stealerium

https://discord.com/api/webhooks/1232369598662316072/JZ3l8RdMLeLdYhOp1gSa6SDT8QGjcOhm2duBg8NFPzws-9w9pWQ1T99En6-kpnE2KDx1

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

56a47f42556978d1a9627243986eb890_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	56a47f42556978d1a9627243986eb890_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

21 discord.com
20 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4924 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4684 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

56a47f42556978d1a9627243986eb890_NeikiAnalytics.exe

pid process

4492 56a47f42556978d1a9627243986eb890_NeikiAnalytics.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

56a47f42556978d1a9627243986eb890_NeikiAnalytics.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 4492 56a47f42556978d1a9627243986eb890_NeikiAnalytics.exe
Token: SeDebugPrivilege 4684 taskkill.exe

flow	ioc
21	discord.com
20	discord.com

pid	process
4924	timeout.exe

pid	process
4684	taskkill.exe

pid	process
4492	56a47f42556978d1a9627243986eb890_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	4492	56a47f42556978d1a9627243986eb890_NeikiAnalytics.exe
Token: SeDebugPrivilege	4684	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

56a47f42556978d1a9627243986eb890_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 4492 wrote to memory of 5096	4492	56a47f42556978d1a9627243986eb890_NeikiAnalytics.exe	cmd.exe
PID 4492 wrote to memory of 5096	4492	56a47f42556978d1a9627243986eb890_NeikiAnalytics.exe	cmd.exe
PID 4492 wrote to memory of 5096	4492	56a47f42556978d1a9627243986eb890_NeikiAnalytics.exe	cmd.exe
PID 5096 wrote to memory of 5084	5096	cmd.exe	chcp.com
PID 5096 wrote to memory of 5084	5096	cmd.exe	chcp.com
PID 5096 wrote to memory of 5084	5096	cmd.exe	chcp.com
PID 5096 wrote to memory of 4684	5096	cmd.exe	taskkill.exe
PID 5096 wrote to memory of 4684	5096	cmd.exe	taskkill.exe
PID 5096 wrote to memory of 4684	5096	cmd.exe	taskkill.exe
PID 5096 wrote to memory of 4924	5096	cmd.exe	timeout.exe
PID 5096 wrote to memory of 4924	5096	cmd.exe	timeout.exe
PID 5096 wrote to memory of 4924	5096	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\56a47f42556978d1a9627243986eb890_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\56a47f42556978d1a9627243986eb890_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8B48.tmp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:5084

C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 4492
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
3⤵
- Delays execution with timeout.exe
PID:4924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8B48.tmp.bat
Filesize
57B

MD5
e8b1a007941695aa85eab560e557714a

SHA1
c437934656a2346b6bd25063c2e9dc561ce76c21

SHA256
3049465447c0cbbed61fe334df637e5889ad99a4314130633cbcdd61e1e47a19

SHA512
ed137aa91baa81d6ac13895e58901585d22b225a0c2bc25fad34354cd43493e5eb9a6cdd8a22e47243e917432489d012652556523447bcc5cef244f5c3d95342

Download Submit
memory/4492-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

Filesize
4KB

Download
memory/4492-1-0x0000000000A80000-0x0000000000C12000-memory.dmp

Filesize
1.6MB

Download
memory/4492-2-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/4492-3-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4492-7-0x0000000005B10000-0x0000000005BA2000-memory.dmp

Filesize
584KB

Download
memory/4492-8-0x0000000005BA0000-0x0000000005BC6000-memory.dmp

Filesize
152KB

Download
memory/4492-9-0x0000000005670000-0x0000000005678000-memory.dmp

Filesize
32KB

Download
memory/4492-14-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download