Malware Analysis Report

2024-09-22 07:00

Sample ID 240622-bb1djazamf
Target c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea
SHA256 c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea
Tags
stealc default discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea

Threat Level: Known bad

The file c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea was found to be: Known bad.

Malicious Activity Summary

stealc default discovery evasion spyware stealer

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks BIOS information in registry

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-22 00:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 00:58

Reported

2024-06-22 01:01

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe"

Signatures

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe

"C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe"

Network

Country Destination Domain Proto
RU 85.28.47.4:80 85.28.47.4 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 4.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/2028-0-0x0000000000380000-0x00000000009FD000-memory.dmp

memory/2028-1-0x0000000077604000-0x0000000077606000-memory.dmp

memory/2028-2-0x0000000000381000-0x0000000000392000-memory.dmp

memory/2028-3-0x0000000000380000-0x00000000009FD000-memory.dmp

memory/2028-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2028-76-0x0000000000380000-0x00000000009FD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 00:58

Reported

2024-06-22 01:01

Platform

win11-20240611-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe"

Signatures

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe

"C:\Users\Admin\AppData\Local\Temp\c4c0310bc779bb4ba051be5fe124c783a101e9d0ba03e530292e69ab00cd9cea.exe"

Network

Country Destination Domain Proto
RU 85.28.47.4:80 85.28.47.4 tcp
US 8.8.8.8:53 4.47.28.85.in-addr.arpa udp

Files

memory/3092-0-0x00000000006E0000-0x0000000000D5D000-memory.dmp

memory/3092-1-0x0000000076F06000-0x0000000076F08000-memory.dmp

memory/3092-2-0x00000000006E1000-0x00000000006F2000-memory.dmp

memory/3092-3-0x00000000006E0000-0x0000000000D5D000-memory.dmp

memory/3092-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3092-76-0x00000000006E0000-0x0000000000D5D000-memory.dmp