stealc | 99dfe8a4454f28c944e3c749150aecdaa97e19bcc5a9cf644a509b7eb1d4e50f

General

Target

99dfe8a4454f28c944e3c749150aecdaa97e19bcc5a9cf644a509b7eb1d4e50f.exe
Size

4.0MB
MD5

919db35f2bf4dad6dd23e16b68dbb205
SHA1

97a493eb8ebcac4fa8f61c357365d443c72e40dc
SHA256

99dfe8a4454f28c944e3c749150aecdaa97e19bcc5a9cf644a509b7eb1d4e50f
SHA512

efa3e69c8c3e6b1af82ae4a6c89412fbcc4d21eaf61349c235810fef4790b5b6f7373c1ca0adb2ca7efcd2ea61635968f9d2237802422cf6046039aab27fa05e
SSDEEP

98304:z8Ho3wEF+ZSxV4CQrRZIfIM8R6nhYufLX6CL2VeUs:z8IqRSxi6dLqi

Score

10^/10

stealc default discovery evasion stealer themida trojan

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Detects executables packed with Themida 13 IoCs

resource	yara_rule
behavioral2/memory/2684-0-0x0000000000330000-0x0000000000955000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral2/memory/2684-4-0x0000000000330000-0x0000000000955000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral2/memory/2684-3-0x0000000000330000-0x0000000000955000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral2/memory/2684-6-0x0000000000330000-0x0000000000955000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral2/memory/2684-5-0x0000000000330000-0x0000000000955000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral2/memory/2684-2-0x0000000000330000-0x0000000000955000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral2/memory/2684-1-0x0000000000330000-0x0000000000955000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral2/memory/2684-8-0x0000000000330000-0x0000000000955000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral2/memory/2684-10-0x0000000000330000-0x0000000000955000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral2/memory/2684-12-0x0000000000330000-0x0000000000955000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral2/memory/2684-14-0x0000000000330000-0x0000000000955000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral2/memory/2684-16-0x0000000000330000-0x0000000000955000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral2/memory/2684-18-0x0000000000330000-0x0000000000955000-memory.dmp	INDICATOR_EXE_Packed_Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	99dfe8a4454f28c944e3c749150aecdaa97e19bcc5a9cf644a509b7eb1d4e50f.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	99dfe8a4454f28c944e3c749150aecdaa97e19bcc5a9cf644a509b7eb1d4e50f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	99dfe8a4454f28c944e3c749150aecdaa97e19bcc5a9cf644a509b7eb1d4e50f.exe

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2684-0-0x0000000000330000-0x0000000000955000-memory.dmp	themida
behavioral2/memory/2684-4-0x0000000000330000-0x0000000000955000-memory.dmp	themida
behavioral2/memory/2684-3-0x0000000000330000-0x0000000000955000-memory.dmp	themida
behavioral2/memory/2684-6-0x0000000000330000-0x0000000000955000-memory.dmp	themida
behavioral2/memory/2684-5-0x0000000000330000-0x0000000000955000-memory.dmp	themida
behavioral2/memory/2684-2-0x0000000000330000-0x0000000000955000-memory.dmp	themida
behavioral2/memory/2684-1-0x0000000000330000-0x0000000000955000-memory.dmp	themida
behavioral2/memory/2684-8-0x0000000000330000-0x0000000000955000-memory.dmp	themida
behavioral2/memory/2684-10-0x0000000000330000-0x0000000000955000-memory.dmp	themida
behavioral2/memory/2684-12-0x0000000000330000-0x0000000000955000-memory.dmp	themida
behavioral2/memory/2684-14-0x0000000000330000-0x0000000000955000-memory.dmp	themida
behavioral2/memory/2684-16-0x0000000000330000-0x0000000000955000-memory.dmp	themida
behavioral2/memory/2684-18-0x0000000000330000-0x0000000000955000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	99dfe8a4454f28c944e3c749150aecdaa97e19bcc5a9cf644a509b7eb1d4e50f.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4772	2684	WerFault.exe	80

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	99dfe8a4454f28c944e3c749150aecdaa97e19bcc5a9cf644a509b7eb1d4e50f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	99dfe8a4454f28c944e3c749150aecdaa97e19bcc5a9cf644a509b7eb1d4e50f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2684	99dfe8a4454f28c944e3c749150aecdaa97e19bcc5a9cf644a509b7eb1d4e50f.exe
2684	99dfe8a4454f28c944e3c749150aecdaa97e19bcc5a9cf644a509b7eb1d4e50f.exe

C:\Users\Admin\AppData\Local\Temp\99dfe8a4454f28c944e3c749150aecdaa97e19bcc5a9cf644a509b7eb1d4e50f.exe
"C:\Users\Admin\AppData\Local\Temp\99dfe8a4454f28c944e3c749150aecdaa97e19bcc5a9cf644a509b7eb1d4e50f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1284
  2⤵
  - Program crash
  PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2684 -ip 2684
1⤵
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2684-0-0x0000000000330000-0x0000000000955000-memory.dmp

Filesize
6.1MB

Download
memory/2684-4-0x0000000000330000-0x0000000000955000-memory.dmp

Filesize
6.1MB

Download
memory/2684-3-0x0000000000330000-0x0000000000955000-memory.dmp

Filesize
6.1MB

Download
memory/2684-6-0x0000000000330000-0x0000000000955000-memory.dmp

Filesize
6.1MB

Download
memory/2684-7-0x0000000000331000-0x000000000034C000-memory.dmp

Filesize
108KB

Download
memory/2684-5-0x0000000000330000-0x0000000000955000-memory.dmp

Filesize
6.1MB

Download
memory/2684-2-0x0000000000330000-0x0000000000955000-memory.dmp

Filesize
6.1MB

Download
memory/2684-1-0x0000000000330000-0x0000000000955000-memory.dmp

Filesize
6.1MB

Download
memory/2684-8-0x0000000000330000-0x0000000000955000-memory.dmp

Filesize
6.1MB

Download
memory/2684-10-0x0000000000330000-0x0000000000955000-memory.dmp

Filesize
6.1MB

Download
memory/2684-12-0x0000000000330000-0x0000000000955000-memory.dmp

Filesize
6.1MB

Download
memory/2684-14-0x0000000000330000-0x0000000000955000-memory.dmp

Filesize
6.1MB

Download
memory/2684-16-0x0000000000330000-0x0000000000955000-memory.dmp

Filesize
6.1MB

Download
memory/2684-18-0x0000000000330000-0x0000000000955000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads