Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04/06/2024, 20:12
Static task
static1
Behavioral task
behavioral1
Sample
Rose-Stealer-main/payload/main.py
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Rose-Stealer-main/payload/main.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Rose-Stealer-main/utils/aes_encrypt.py
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Rose-Stealer-main/utils/aes_encrypt.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Rose-Stealer-main/utils/b85_encode.py
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Rose-Stealer-main/utils/b85_encode.py
Resource
win10v2004-20240426-en
General
-
Target
Rose-Stealer-main/payload/main.py
-
Size
27KB
-
MD5
732de31ac15a78c4340700c2d1e93c73
-
SHA1
5b5042db903da70001c849797c6745fa26e7cb96
-
SHA256
43d59afee461fca95bd9d074e967b00a09ce8b2602e42281373699c140a31aaf
-
SHA512
8324c454457a334e1e27f65f2551351b31823085e56b3ed39bfb7bd2da2b6a59165b5df4e1dd19742db34e8af63dc892ec4130b77751c62498f4387b2274d8da
-
SSDEEP
768:wQV4DBp5GT4RuxV4c/uuJuumRxiMBtN0W0DgckS0SH3f5XJXk:wL+4RuxV4c/uuJuumRNtrPcL0SH3f5X6
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2116 rundll32.exe 2584 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2584 AcroRd32.exe 2584 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2116 2268 cmd.exe 29 PID 2268 wrote to memory of 2116 2268 cmd.exe 29 PID 2268 wrote to memory of 2116 2268 cmd.exe 29 PID 2116 wrote to memory of 2584 2116 rundll32.exe 30 PID 2116 wrote to memory of 2584 2116 rundll32.exe 30 PID 2116 wrote to memory of 2584 2116 rundll32.exe 30 PID 2116 wrote to memory of 2584 2116 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Rose-Stealer-main\payload\main.py1⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Rose-Stealer-main\payload\main.py2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Rose-Stealer-main\payload\main.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2584
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eca1fd848f21fc423b5e1132eebe9a0
SHA123bfd803fb83f50b9a53fec58505e88221866428
SHA256411b4860ca1e30108323ad8861191cea9cbef98e063f6f6dfcae16154eace090
SHA512ae6b2adcd678f3734d23e0a0afd5d5eac9c7817f00293090baad2dbff90e47670ed95cf2d5a466bf7fef36009c94e004d543ed673fc496703fcb1a92b9d809ba