General

  • Target

    55a12f7c0f1b0dfd44ba6843fde498986022940dd87290e2fcfe80213132666b

  • Size

    261KB

  • Sample

    240607-mr4lnsga36

  • MD5

    168ef6d0627a0ed193a5e3d1b5f2f7c2

  • SHA1

    ca0a8758f05058ba2aa245d4d1a4ac6b9823be78

  • SHA256

    55a12f7c0f1b0dfd44ba6843fde498986022940dd87290e2fcfe80213132666b

  • SHA512

    9eacd4ed6501be9c8d81555d31f5b2554afbd86451ccbef30e3045b0cf422ef94bd444dece3e1edeb77b355fed2e17260def24b50143650a4f6e1dbce63c9db1

  • SSDEEP

    3072:NNVQkL+rkBzvMuX1Bdq8LvMKMP8h5CXPHhkHo4wrrJNyXdYz+S5Q04cm+4/s:NNRLIkJblq4vM705quIHR+9xcmq

Malware Config

Extracted

Family

stealc

Botnet

default12

C2

http://185.172.128.170

Attributes
  • url_path

    /7043a0c6a68d9c65.php

Targets

    • Target

      55a12f7c0f1b0dfd44ba6843fde498986022940dd87290e2fcfe80213132666b

    • Size

      261KB

    • MD5

      168ef6d0627a0ed193a5e3d1b5f2f7c2

    • SHA1

      ca0a8758f05058ba2aa245d4d1a4ac6b9823be78

    • SHA256

      55a12f7c0f1b0dfd44ba6843fde498986022940dd87290e2fcfe80213132666b

    • SHA512

      9eacd4ed6501be9c8d81555d31f5b2554afbd86451ccbef30e3045b0cf422ef94bd444dece3e1edeb77b355fed2e17260def24b50143650a4f6e1dbce63c9db1

    • SSDEEP

      3072:NNVQkL+rkBzvMuX1Bdq8LvMKMP8h5CXPHhkHo4wrrJNyXdYz+S5Q04cm+4/s:NNRLIkJblq4vM705quIHR+9xcmq

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks