Malware Analysis Report

2024-09-22 07:46

Sample ID 240603-jlyxfshf46
Target amm.exe
SHA256 c2dd30a33e7631b1d32f8a8864c9fa7e45c16657a9593ea42c109cc34f208871
Tags
stealc default discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c2dd30a33e7631b1d32f8a8864c9fa7e45c16657a9593ea42c109cc34f208871

Threat Level: Known bad

The file amm.exe was found to be: Known bad.

Malicious Activity Summary

stealc default discovery spyware stealer

Stealc

Downloads MZ/PE file

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-03 07:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 07:46

Reported

2024-06-03 07:48

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\amm.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\amm.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\amm.exe C:\Windows\SysWOW64\WerFault.exe
PID 1956 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\amm.exe C:\Windows\SysWOW64\WerFault.exe
PID 1956 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\amm.exe C:\Windows\SysWOW64\WerFault.exe
PID 1956 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\amm.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\amm.exe

"C:\Users\Admin\AppData\Local\Temp\amm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 52

Network

N/A

Files

memory/1956-0-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1956-1-0x0000000000020000-0x0000000000021000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 07:46

Reported

2024-06-03 07:48

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\amm.exe"

Signatures

Stealc

stealer stealc

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1324 set thread context of 3988 N/A C:\Users\Admin\AppData\Local\Temp\amm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\amm.exe

"C:\Users\Admin\AppData\Local\Temp\amm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 147.45.47.150:80 147.45.47.150 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 150.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/1324-0-0x0000000000840000-0x0000000000841000-memory.dmp

memory/1324-3-0x0000000000840000-0x0000000000841000-memory.dmp

memory/3988-1-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3988-5-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3988-6-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3988-7-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3988-79-0x0000000000400000-0x000000000063B000-memory.dmp