Malware Analysis Report

2024-08-06 12:47

Sample ID 240629-sdvphasgpn
Target build.exe
SHA256 ce3f5843042861d5a408804fff1b2e89f846609e0832c42611182b302ac22458
Tags
stealerium stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce3f5843042861d5a408804fff1b2e89f846609e0832c42611182b302ac22458

Threat Level: Known bad

The file build.exe was found to be: Known bad.

Malicious Activity Summary

stealerium stealer

Stealerium family

Stealerium

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-29 15:01

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 15:01

Reported

2024-06-29 15:03

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\build.exe"

Signatures

Stealerium

stealer stealerium

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4672 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4812 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4812 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4812 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4812 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4812 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4812 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4812 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4812 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp69D6.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 4672

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4672-0-0x000000007488E000-0x000000007488F000-memory.dmp

memory/4672-1-0x0000000000E70000-0x0000000001006000-memory.dmp

memory/4672-2-0x00000000059F0000-0x0000000005A56000-memory.dmp

memory/4672-3-0x0000000074880000-0x0000000075030000-memory.dmp

memory/4672-6-0x0000000006040000-0x00000000060D2000-memory.dmp

memory/4672-8-0x00000000060E0000-0x00000000060E8000-memory.dmp

memory/4672-7-0x0000000005A80000-0x0000000005AA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp69D6.tmp.bat

MD5 084b7d0e8088d67a38d0816ac2addab0
SHA1 4dae9e1e72259c44f4c1a105a0183e8bc6697bdb
SHA256 7334dd99c5fe8504f198b4b39842a719a792dd6e63a4d8533d26ec0ce577a366
SHA512 5e9b22f48b1fd683b94a12d7570d7bd586f006cadd5e430f39c0727815dcb6da1ae61222b921f48be8ab3d7fea7df230bfd00acf7d1795ca9ab0d1fea01ccd64

memory/4672-13-0x0000000074880000-0x0000000075030000-memory.dmp