Overview

overview

10

Static

static

10

build.exe

windows7-x64

10

build.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 08:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    build.exe

  • Size

    1.6MB

  • MD5

    2b295d7ed694fd5f8d154e2809dde5c7

  • SHA1

    8fe4226bfd0795bc92ad62a518e1c5313a1063c2

  • SHA256

    ccf5a47144d4d2e99d2cb7fa4d620c18422e1a85da05ed46f2f574cd671cc335

  • SHA512

    f1cc93b2bd0d56c604dd601dc34a5152382b553e847d08fedc48f08ad1badfdd7dace981e2e1837db2bda22f3b3f1be2269047ddd40a591b29a2fe1b876c8d43

  • SSDEEP

    49152:skTq24GjdGSiqkqXfd+/9AqYanieKds1:s1EjdGSiqkqXf0FLYW

Score
10/10
stealeriumcollectionspywarestealer

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1246735852525326437/GcTg3JPGVTvvvYi6IMfM_bflcLd6mmUk7zrqDc3jqVTKiN4-XEedjVbl6jUHpWD6Vdzi

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:4984
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:4568
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:3856
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:3308
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1400
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:4360
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:3892
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:5076

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Email Collection

            1
            T1114

            Exfiltration

            Command and Control

            Web Service

            1
            T1102

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\8e5b842b14f0a3dcb27b8496c36b0352\Admin@YCLEXTAL_en-US\Browsers\Firefox\Bookmarks.txt
              Filesize

              105B

              MD5

              2e9d094dda5cdc3ce6519f75943a4ff4

              SHA1

              5d989b4ac8b699781681fe75ed9ef98191a5096c

              SHA256

              c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

              SHA512

              d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

              Download Submit
            • C:\Users\Admin\AppData\Local\8e5b842b14f0a3dcb27b8496c36b0352\Admin@YCLEXTAL_en-US\Directories\OneDrive.txt
              Filesize

              25B

              MD5

              966247eb3ee749e21597d73c4176bd52

              SHA1

              1e9e63c2872cef8f015d4b888eb9f81b00a35c79

              SHA256

              8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

              SHA512

              bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

              Download Submit
            • C:\Users\Admin\AppData\Local\8e5b842b14f0a3dcb27b8496c36b0352\Admin@YCLEXTAL_en-US\Directories\Startup.txt
              Filesize

              24B

              MD5

              68c93da4981d591704cea7b71cebfb97

              SHA1

              fd0f8d97463cd33892cc828b4ad04e03fc014fa6

              SHA256

              889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

              SHA512

              63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

              Download Submit
            • C:\Users\Admin\AppData\Local\8e5b842b14f0a3dcb27b8496c36b0352\Admin@YCLEXTAL_en-US\Directories\Videos.txt
              Filesize

              23B

              MD5

              1fddbf1169b6c75898b86e7e24bc7c1f

              SHA1

              d2091060cb5191ff70eb99c0088c182e80c20f8c

              SHA256

              a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

              SHA512

              20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

              Download Submit
            • C:\Users\Admin\AppData\Local\8e5b842b14f0a3dcb27b8496c36b0352\Admin@YCLEXTAL_en-US\System\Apps.txt
              Filesize

              6KB

              MD5

              f5b7879a4090071290baaea32286f32f

              SHA1

              d912a731d51980145a29f51c22eb2942969adda3

              SHA256

              aa60030804399c5561977f157626c51ddb1f69a7e5f308d1981f898a822e0334

              SHA512

              9ff82276ea8f83c67dc9119c4ffa131adc1ada0bc9e93eee6e6096d48d243105ab3bf590314872dab729166c31abd572b1ed6bfc9c85a97ef016a97a09e1e7e3

              Download Submit
            • C:\Users\Admin\AppData\Local\8e5b842b14f0a3dcb27b8496c36b0352\Admin@YCLEXTAL_en-US\System\Debug.txt
              Filesize

              1KB

              MD5

              72381c937d120e2ab8ddc7737f8510f3

              SHA1

              31ef788bee5aa6915198e12ce9764e08d0987b81

              SHA256

              0e84ae676c65981f83e1ebf381ef7ef1a7f333c4b1d2404f68904cb586e45831

              SHA512

              f06e63fbe5484bf2f1b9fff167716b651956dc9e0a9511fbec4d71ffea4d05e0376ff2dd351e6964cc31c9f7661b25697b2508439488d88c9c54899d5d3b5e56

              Download Submit
            • C:\Users\Admin\AppData\Local\8e5b842b14f0a3dcb27b8496c36b0352\Admin@YCLEXTAL_en-US\System\Process.txt
              Filesize

              4KB

              MD5

              114f9cc68caffdb39a369cbf4692a79b

              SHA1

              11cb730622d8feec02892ff497ef3e17296241d2

              SHA256

              55823624cf80fd9c02f71eb056f5e6c0b079e42e86c84cb373dab9d1c803df54

              SHA512

              7256d5778b5d0ffce4b9e63510430eb7418597cbbfba39d3c64f8dd8984cc260c695ff17630f1879221eb2916030edc76209123d9abbce1cd7dd8bc1354324ab

              Download Submit
            • C:\Users\Admin\AppData\Local\8e5b842b14f0a3dcb27b8496c36b0352\Admin@YCLEXTAL_en-US\System\ProductKey.txt
              Filesize

              29B

              MD5

              71eb5479298c7afc6d126fa04d2a9bde

              SHA1

              a9b3d5505cf9f84bb6c2be2acece53cb40075113

              SHA256

              f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

              SHA512

              7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

              Download Submit
            • C:\Users\Admin\AppData\Local\8e5b842b14f0a3dcb27b8496c36b0352\msgid.dat
              Filesize

              19B

              MD5

              89ed7f0a4008dd467557b16348a486f4

              SHA1

              91568c48aa2e9ebaac77be8efd0c4cf008e9aa69

              SHA256

              534fc3754d57e880a724b841693b0adc245c65e918e77bd08117dd3d5e42e5c7

              SHA512

              78eea1b7f8d3be886c8814451ea9eb1a02d7c3bc8bdc1e147aaa47ebe5a8f11f44cc76a3835839b65ae68e6f16b2fa666951f04c13473541c05496b1fa7272c3

              Download Submit
            • memory/4984-10-0x00000000060A0000-0x00000000060AA000-memory.dmp
              Filesize

              40KB

              Download
            • memory/4984-7-0x00000000050C0000-0x0000000005152000-memory.dmp
              Filesize

              584KB

              Download
            • memory/4984-69-0x00000000068E0000-0x0000000006972000-memory.dmp
              Filesize

              584KB

              Download
            • memory/4984-75-0x0000000006F30000-0x00000000074D4000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/4984-11-0x00000000060B0000-0x00000000060B8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/4984-0-0x000000007466E000-0x000000007466F000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4984-203-0x00000000061C0000-0x000000000623A000-memory.dmp
              Filesize

              488KB

              Download
            • memory/4984-9-0x0000000005180000-0x0000000005188000-memory.dmp
              Filesize

              32KB

              Download
            • memory/4984-8-0x0000000005150000-0x0000000005176000-memory.dmp
              Filesize

              152KB

              Download
            • memory/4984-12-0x00000000060D0000-0x00000000060EE000-memory.dmp
              Filesize

              120KB

              Download
            • memory/4984-3-0x0000000074660000-0x0000000074E10000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/4984-2-0x0000000004B30000-0x0000000004B96000-memory.dmp
              Filesize

              408KB

              Download
            • memory/4984-276-0x0000000006680000-0x0000000006732000-memory.dmp
              Filesize

              712KB

              Download
            • memory/4984-278-0x00000000062A0000-0x00000000062C2000-memory.dmp
              Filesize

              136KB

              Download
            • memory/4984-279-0x0000000007970000-0x0000000007CC4000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/4984-280-0x000000007466E000-0x000000007466F000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4984-282-0x0000000074660000-0x0000000074E10000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/4984-1-0x0000000000010000-0x00000000001A2000-memory.dmp
              Filesize

              1.6MB

              Download
            • memory/4984-293-0x00000000067C0000-0x00000000067CA000-memory.dmp
              Filesize

              40KB

              Download