Malware Analysis Report

2024-08-06 12:55

Sample ID 240614-11214a1grr
Target ClydeBot.zip
SHA256 fd415095e0f0262dc3f25e7d5fe00a295115ab33660ad43bac655306c1ef1a4b
Tags
stealerium stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd415095e0f0262dc3f25e7d5fe00a295115ab33660ad43bac655306c1ef1a4b

Threat Level: Known bad

The file ClydeBot.zip was found to be: Known bad.

Malicious Activity Summary

stealerium stealer

Stealerium family

Stealerium

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Kills process with taskkill

Delays execution with timeout.exe

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 22:07

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 22:07

Reported

2024-06-14 22:10

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\clydebot.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\clydebot.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 22:07

Reported

2024-06-14 22:10

Platform

win11-20240611-en

Max time kernel

124s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\clydebot.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\clydebot.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 22:07

Reported

2024-06-14 22:10

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boostraper.exe"

Signatures

Stealerium

stealer stealerium

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\boostraper.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostraper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\boostraper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4480 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\boostraper.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\boostraper.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\boostraper.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4552 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4552 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4552 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4552 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4552 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4552 wrote to memory of 1300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4552 wrote to memory of 1300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4552 wrote to memory of 1300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\boostraper.exe

"C:\Users\Admin\AppData\Local\Temp\boostraper.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA364.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 4480

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 52.111.229.43:443 tcp

Files

memory/4480-0-0x000000007464E000-0x000000007464F000-memory.dmp

memory/4480-1-0x0000000000BF0000-0x0000000000D82000-memory.dmp

memory/4480-2-0x0000000005710000-0x0000000005776000-memory.dmp

memory/4480-3-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/4480-7-0x0000000005CD0000-0x0000000005D62000-memory.dmp

memory/4480-8-0x0000000005820000-0x0000000005846000-memory.dmp

memory/4480-9-0x0000000005D60000-0x0000000005D68000-memory.dmp

memory/4480-10-0x000000007464E000-0x000000007464F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA364.tmp.bat

MD5 5464a1544191380cb7196cc6950d730a
SHA1 f595a515f0255169459d2b835cec439cf0efefe3
SHA256 8a28a247a44a81e65aa1fe6ebcd151faf3c5d9afce4c32213b88f1dab84db637
SHA512 b5363a774feb9df2622bc18b8248f3ef89356002befd3ba96de96e7e6d78e11a3fc89f925d233c4613d56358659000f447d84be3f52e2df5b1443df4a2a0b414

memory/4480-15-0x0000000074640000-0x0000000074DF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 22:07

Reported

2024-06-14 22:10

Platform

win11-20240611-en

Max time kernel

132s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boostraper.exe"

Signatures

Stealerium

stealer stealerium

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\boostraper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\boostraper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4172 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\boostraper.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\boostraper.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\boostraper.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2652 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2652 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2652 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2652 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2652 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2652 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2652 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2652 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\boostraper.exe

"C:\Users\Admin\AppData\Local\Temp\boostraper.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7F71.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 4172

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 162.159.138.232:443 discord.com tcp

Files

memory/4172-0-0x000000007430E000-0x000000007430F000-memory.dmp

memory/4172-1-0x00000000005E0000-0x0000000000772000-memory.dmp

memory/4172-2-0x0000000005220000-0x0000000005286000-memory.dmp

memory/4172-3-0x0000000074300000-0x0000000074AB1000-memory.dmp

memory/4172-7-0x0000000005850000-0x00000000058E2000-memory.dmp

memory/4172-8-0x00000000058E0000-0x0000000005906000-memory.dmp

memory/4172-9-0x0000000005910000-0x0000000005918000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7F71.tmp.bat

MD5 6874e667ac1c718cdbeef737107f7411
SHA1 522d64a3c488ee5e0ea958c91ae431741def7e52
SHA256 b8dfe2595be93d7a3a56b02cbb9f5bde77ce35b8255b1a59242482d9c83dccbb
SHA512 9fab3ea2bc89b52ec37a0a108e83e17b3c9fb8580d98482f438bd7799d2b4002e633fe11502a9cdb857c184f976d4eb623ca7f4cab86af36c2a815c6261233d3

memory/4172-14-0x0000000074300000-0x0000000074AB1000-memory.dmp