stealc | 46ed6a8df27da6eeb92298a77ec1162e6e67884e7f07020b23c06137768506ae

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 16:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3D808F3A657C3DB4BDFF5F4F60121711.exe
Size

3.1MB
MD5

3d808f3a657c3db4bdff5f4f60121711
SHA1

3b1c1d0df4201a56988e020201836f8f581351d3
SHA256

46ed6a8df27da6eeb92298a77ec1162e6e67884e7f07020b23c06137768506ae
SHA512

31df54b32c6cac3869b9c2dc06c3cf080f218354c6b3a74517e879bf2acd391f22bb013847b7c445dd801b8e4e2d308278f8acc9684c0ae8ceffdfa45bd8ccb5
SSDEEP

98304:r8wl6E5d5IcRsYtD0EDYUGKFdu9CwJsv6ti6i:r10E5nRsYtjGKFdu9CwJsv6tiR

Score

10^/10

stealc default discovery stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://5.42.104.211

Attributes

url_path
/94903f819d758732.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Executes dropped EXE 1 IoCs

pid	Process
2192	㜴䘸㐷㡑㡑䝺兺圴

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3392 set thread context of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4684	2192	WerFault.exe	86

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	㜴䘸㐷㡑㡑䝺兺圴
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	㜴䘸㐷㡑㡑䝺兺圴

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2192	㜴䘸㐷㡑㡑䝺兺圴
2192	㜴䘸㐷㡑㡑䝺兺圴

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86
PID 3392 wrote to memory of 2192	3392	3D808F3A657C3DB4BDFF5F4F60121711.exe	86

C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe
"C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
  "C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 1304
    3⤵
    - Program crash
    PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2192 -ip 2192
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴

Filesize
38KB

MD5
3992f464696b0eeff236aef93b1fdbd5

SHA1
8dddabaea6b342efc4f5b244420a0af055ae691e

SHA256
0d1a8457014f2eb2563a91d1509dba38f6c418fedf5f241d8579d15a93e40e14

SHA512
27a63b43dc50faf4d9b06e10daa15e83dfb3f3be1bd3af83ea6990bd8ae6d3a6a7fc2f928822db972aaf1305970f4587d768d68cd7e1124bc8f710c1d3ee19a6

Download Submit
memory/2192-2-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2192-6-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2192-7-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2192-8-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2192-9-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download