Malware Analysis Report

2024-11-16 13:51

Sample ID 240608-a4zf9sef2z
Target 5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330
SHA256 5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330
Tags
stealc default12 discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330

Threat Level: Known bad

The file 5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330 was found to be: Known bad.

Malicious Activity Summary

stealc default12 discovery spyware stealer

Stealc

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-08 00:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 00:46

Reported

2024-06-08 00:49

Platform

win11-20240508-en

Max time kernel

90s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330.exe"

Signatures

Stealc

stealer stealc

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HIDHDAAEHI.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330.exe

"C:\Users\Admin\AppData\Local\Temp\5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HIDHDAAEHI.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3796 -ip 3796

C:\Users\Admin\AppData\Local\Temp\HIDHDAAEHI.exe

"C:\Users\Admin\AppData\Local\Temp\HIDHDAAEHI.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 2116

Network

Country Destination Domain Proto
DE 185.172.128.170:80 185.172.128.170 tcp
US 8.8.8.8:53 170.128.172.185.in-addr.arpa udp
DE 185.172.128.159:80 185.172.128.159 tcp

Files

memory/3796-3-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3796-2-0x00000000038C0000-0x00000000038E7000-memory.dmp

memory/3796-1-0x0000000001CA0000-0x0000000001DA0000-memory.dmp

memory/3796-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\HIDHDAAEHI.exe

MD5 6c93fc68e2f01c20fb81af24470b790c
SHA1 d5927b38a32e30afcf5a658612a8266476fc4ad8
SHA256 64a71b664d76641b35dac312161cb356b3b3b5f0b45c9d88c8afa547b4902580
SHA512 355e9677121ef17cf8c398f0c17399776d206c62014080a2c62682e1152ea0729dcc6e233358dcd6bae009b07e3db936d4b18eb37d6e7ebc2fe9cf8d827c4ade

memory/3796-94-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3796-93-0x0000000000400000-0x0000000001BBD000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 00:46

Reported

2024-06-08 00:49

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330.exe"

Signatures

Stealc

stealer stealc

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCGDGHCBGD.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330.exe

"C:\Users\Admin\AppData\Local\Temp\5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GCGDGHCBGD.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3012 -ip 3012

C:\Users\Admin\AppData\Local\Temp\GCGDGHCBGD.exe

"C:\Users\Admin\AppData\Local\Temp\GCGDGHCBGD.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 2460

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
DE 185.172.128.170:80 185.172.128.170 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 170.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
DE 185.172.128.159:80 185.172.128.159 tcp
US 8.8.8.8:53 159.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 25.147.200.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

memory/3012-1-0x0000000001C50000-0x0000000001D50000-memory.dmp

memory/3012-3-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3012-2-0x0000000003800000-0x0000000003827000-memory.dmp

memory/3012-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\GCGDGHCBGD.exe

MD5 6c93fc68e2f01c20fb81af24470b790c
SHA1 d5927b38a32e30afcf5a658612a8266476fc4ad8
SHA256 64a71b664d76641b35dac312161cb356b3b3b5f0b45c9d88c8afa547b4902580
SHA512 355e9677121ef17cf8c398f0c17399776d206c62014080a2c62682e1152ea0729dcc6e233358dcd6bae009b07e3db936d4b18eb37d6e7ebc2fe9cf8d827c4ade

memory/3012-86-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3012-85-0x0000000000400000-0x0000000001BBD000-memory.dmp