stealc | 9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe
Size

1.5MB
MD5

2f3bf4025c648d35847eef0f94a740f8
SHA1

89f6b879f8a3ae861911360b6bf3f0b36e2afee0
SHA256

9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c
SHA512

a0f1f36e3b605c456695a41ff0985ed3db88f412a21615405cdb0bdb488df06fe46d5706ba5248cf45d6daa3404f055b3e504cc4a7c25c3f9ef1cfa1bac14c0d
SSDEEP

24576:IXc46Crf8fAqacHps+/qASfmBgXk/xrADOv1xvF87hso8bTTXo:IXl8IqHHO+SASagXkJr4MDkhs9g

Score

10^/10

stealc default stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://68.183.108.129

Attributes

url_path
/6259fdc16222e061.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Executes dropped EXE 1 IoCs

pid	Process
1464	kat7916.tmp

Loads dropped DLL 2 IoCs

pid	Process
1136	9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe
1136	9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1136 set thread context of 1464	1136	9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe	28

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 1464	1136	9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe	28
PID 1136 wrote to memory of 1464	1136	9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe	28
PID 1136 wrote to memory of 1464	1136	9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe	28
PID 1136 wrote to memory of 1464	1136	9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe	28
PID 1136 wrote to memory of 1464	1136	9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe	28
PID 1136 wrote to memory of 1464	1136	9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe	28
PID 1136 wrote to memory of 1464	1136	9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe	28
PID 1136 wrote to memory of 1464	1136	9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe	28
PID 1136 wrote to memory of 1464	1136	9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe	28

C:\Users\Admin\AppData\Local\Temp\9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe
"C:\Users\Admin\AppData\Local\Temp\9103badbe87653a720bd99266a6000ae2e6d18c9d291ec51a7eb396fc20c2c0c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Local\Temp\kat7916.tmp
  C:\Users\Admin\AppData\Local\Temp\kat7916.tmp
  2⤵
  - Executes dropped EXE
  PID:1464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\kat7916.tmp

Filesize
861KB

MD5
66064dbdb70a5eb15ebf3bf65aba254b

SHA1
0284fd320f99f62aca800fb1251eff4c31ec4ed7

SHA256
6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

SHA512
b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

Download Submit
memory/1136-21-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/1136-1-0x0000000002FF0000-0x00000000030F4000-memory.dmp

Filesize
1.0MB

Download
memory/1136-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1464-13-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1464-23-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1464-24-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1464-19-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1464-17-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1464-11-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1464-15-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1464-10-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1464-25-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1464-29-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1464-33-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1464-37-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download