stealc | 59f20114929a66a4c6243ae9d416192f0b7a584c6d3a07253e0cc69776b4de46

Analysis

max time kernel
143s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

663.4MB
MD5

70a9e51d9777a02427404e4dc2325f0f
SHA1

b340348b78dcbbdc49dc9206f68aa3950723b964
SHA256

f9f5fe8a6d4ef35fdacc5623b1dc689be3ea89c61efdf68e0ddf449916396f05
SHA512

65888e9a446880cd8911ed56047392c00735fe484530962e8d1b70256b082c9eff822b4db0c84db689e5f11331b56acfa62d86b0a496f8b6b744380853b86ebe
SSDEEP

196608:Xpcugy7TlXNdj+P64+SPrW7hOOo4j704ehNVhV98x+L5rCZhwNNwL84XiOHWgE:Xpcu7k6BkOxU4o

Score

10^/10

stealc puaro spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

Puaro

https://9507c272a51ce8cefc8761591b2c50e6.fit

Attributes

url_path
/2fca4d4264af2833.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1692	HJKECAAAFH.exe

Loads dropped DLL 3 IoCs

pid	Process
2848	SearchIndexer.exe
2848	SearchIndexer.exe
2580	cmd.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 2408	1960	Setup.exe	30
PID 1692 set thread context of 2504	1692	HJKECAAAFH.exe	40

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\L-Connect Service.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SearchIndexer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1960	Setup.exe
1960	Setup.exe
2408	comp.exe
2408	comp.exe
2848	SearchIndexer.exe
2848	SearchIndexer.exe
1692	HJKECAAAFH.exe
1692	HJKECAAAFH.exe
2504	cmd.exe
2504	cmd.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1960	Setup.exe
2408	comp.exe
1692	HJKECAAAFH.exe
2504	cmd.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2408	1960	Setup.exe	30
PID 1960 wrote to memory of 2408	1960	Setup.exe	30
PID 1960 wrote to memory of 2408	1960	Setup.exe	30
PID 1960 wrote to memory of 2408	1960	Setup.exe	30
PID 1960 wrote to memory of 2408	1960	Setup.exe	30
PID 2408 wrote to memory of 2848	2408	comp.exe	33
PID 2408 wrote to memory of 2848	2408	comp.exe	33
PID 2408 wrote to memory of 2848	2408	comp.exe	33
PID 2408 wrote to memory of 2848	2408	comp.exe	33
PID 2408 wrote to memory of 2848	2408	comp.exe	33
PID 2848 wrote to memory of 2580	2848	SearchIndexer.exe	35
PID 2848 wrote to memory of 2580	2848	SearchIndexer.exe	35
PID 2848 wrote to memory of 2580	2848	SearchIndexer.exe	35
PID 2848 wrote to memory of 2580	2848	SearchIndexer.exe	35
PID 2848 wrote to memory of 2444	2848	SearchIndexer.exe	37
PID 2848 wrote to memory of 2444	2848	SearchIndexer.exe	37
PID 2848 wrote to memory of 2444	2848	SearchIndexer.exe	37
PID 2848 wrote to memory of 2444	2848	SearchIndexer.exe	37
PID 2580 wrote to memory of 1692	2580	cmd.exe	39
PID 2580 wrote to memory of 1692	2580	cmd.exe	39
PID 2580 wrote to memory of 1692	2580	cmd.exe	39
PID 2580 wrote to memory of 1692	2580	cmd.exe	39
PID 1692 wrote to memory of 2504	1692	HJKECAAAFH.exe	40
PID 1692 wrote to memory of 2504	1692	HJKECAAAFH.exe	40
PID 1692 wrote to memory of 2504	1692	HJKECAAAFH.exe	40
PID 1692 wrote to memory of 2504	1692	HJKECAAAFH.exe	40
PID 1692 wrote to memory of 2504	1692	HJKECAAAFH.exe	40
PID 2504 wrote to memory of 3024	2504	cmd.exe	42
PID 2504 wrote to memory of 3024	2504	cmd.exe	42
PID 2504 wrote to memory of 3024	2504	cmd.exe	42
PID 2504 wrote to memory of 3024	2504	cmd.exe	42
PID 2504 wrote to memory of 3024	2504	cmd.exe	42
PID 2504 wrote to memory of 3024	2504	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\comp.exe
  C:\Windows\SysWOW64\comp.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\SearchIndexer.exe
    C:\Windows\SysWOW64\SearchIndexer.exe
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJKECAAAFH.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Users\Admin\AppData\Local\Temp\HJKECAAAFH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HJKECAAAFH.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        7⤵
        
        PID:3024
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BAKFBKEHDB.exe"
      4⤵
      PID:2444

C:\Windows\system32\taskeng.exe
taskeng.exe {9CD40945-4D79-4F4C-87FB-91927405CD62} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
1⤵
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CopySearch.docx

Filesize
18KB

MD5
c25e875834d6ceae23b61b4c9a105a12

SHA1
bb99833376a7520bdebdbf7dc81f5d40c0df7820

SHA256
0d63846d658ca0a1b461dd778169fedb6493b129bfc5abf9b8c5fd42d10ed601

SHA512
98c4d53d8de01a0d2b2a9ab94679990359236c3eafe938f9e160c55429bf13e1344962b97965e5865899a40ae659b2663723ede15641f123f542646bf4605215

Download Submit
C:\ProgramData\OpenBlock.docx

Filesize
19KB

MD5
e8cbb51af5871670fa08f4f7a53dd83e

SHA1
a817694ca5f35bee0704e5c43aad38c5378d8908

SHA256
fe9d4ed25861281f716c0b66838126e6c525b16de2f928e69f8a491e9d4fba08

SHA512
5c06a724979d82c833bbd3c6ef30dbb1ad3fd1329307f30225a6919b966a849286c0843d55a4b13b8e57b4c1621e3ce0fa89cfd6f6425f0871d1c7730f698e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\620b30e4

Filesize
876KB

MD5
97a3924f38b6fe507dbcce5621dddd82

SHA1
ae07c5939a1135b359f9816651b0372f5d774df4

SHA256
366b99bf15bff92a31b7c2fdd8d2f27bab9c08eb1cd6f7c2dd6923b63912179c

SHA512
3c3e479fca7f16b984e72c4ad97fe6f541c386048f07bb88b43dda06e037eb98b7376a7fd3682d3522f396e27e6135488f2156f669448128edc2f8ec9075d270

Download Submit
C:\Users\Admin\AppData\Local\Temp\6386bc00

Filesize
869KB

MD5
efda65ee3c748c6c1cc17dc0ae686760

SHA1
5f75de2def3a6f4bd8302e3ab513173bc92c475b

SHA256
4b14c2695f26697589bb34f1700f57e882ed0fe211cb9d80751b15449df1d7d5

SHA512
0231dd5d948a480cc2cdacebff8b9b962a9f9e6e5414b8b35abdf7ee6ca848b2ee779a35677745fab1540fd4014fcbbf1366b45dcbeefb7d39139bcc4dd05bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\65a709ef

Filesize
1.1MB

MD5
82e99a942be9e87d87605f37c5d844d2

SHA1
b3b99274d676558c3c4f5b6b45e3f871a908b07e

SHA256
3386e4e5d2af739636f374f2f2a18d07f5a3c33eab9eacd664b6ae5a8096e468

SHA512
9eeab9a65bae7145868b2d28be8538f7eba57b4167add8c4568a855d9c26d09667ea1436a74d300f146cbd4cd096539e29c98be121da4a4f72907561b2b32e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\6999932c

Filesize
1.1MB

MD5
a96a360747fe231219ef175a1059ef34

SHA1
0d780335113d689f9e61ede705e6511d35987670

SHA256
fca36349048655bdc7323d59a023a854dcc6ab35a496bdd1cd836fbceadf35f0

SHA512
7610d5aa3c67df60072b237378d66bcbbfb6f5d89cbc91bfe0513e74a8dc88c2bacbe1abd33951ac8985fff3d5a82f0daa772e67db43654f457c0f34d8f7d762

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\HJKECAAAFH.exe

Filesize
4.2MB

MD5
01b77cf729fa55834d4ea8be3602255f

SHA1
2371f13477843b45b3f12d058432b283ce264733

SHA256
76bb3021ce006df3ecf9740b1eb164bd1036472ae68fe262767d0025b94ecede

SHA512
5d85ef4e23d1de2e4b3a2a622e7062bc0356b1c7a89be8979d239fc3d04814434d992cac5788299a5e3b25ae9e0d41ca5662d9897d39524da75782d3380962d7

Download Submit
memory/1692-156-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/1692-163-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/1960-0-0x0000000000400000-0x0000000001079000-memory.dmp

Filesize
12.5MB

Download
memory/1960-10-0x0000000074320000-0x00000000743B7000-memory.dmp

Filesize
604KB

Download
memory/1960-9-0x0000000074320000-0x00000000743B7000-memory.dmp

Filesize
604KB

Download
memory/1960-8-0x0000000074332000-0x0000000074334000-memory.dmp

Filesize
8KB

Download
memory/1960-7-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/1960-6-0x0000000074320000-0x00000000743B7000-memory.dmp

Filesize
604KB

Download
memory/2408-15-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2408-19-0x0000000074320000-0x00000000743B7000-memory.dmp

Filesize
604KB

Download
memory/2408-14-0x0000000074320000-0x00000000743B7000-memory.dmp

Filesize
604KB

Download
memory/2408-16-0x0000000074320000-0x00000000743B7000-memory.dmp

Filesize
604KB

Download
memory/2408-17-0x0000000074320000-0x00000000743B7000-memory.dmp

Filesize
604KB

Download
memory/2504-202-0x0000000074320000-0x00000000743B7000-memory.dmp

Filesize
604KB

Download
memory/2504-172-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2504-206-0x0000000074320000-0x00000000743B7000-memory.dmp

Filesize
604KB

Download
memory/2504-201-0x0000000074320000-0x00000000743B7000-memory.dmp

Filesize
604KB

Download
memory/2504-185-0x0000000074320000-0x00000000743B7000-memory.dmp

Filesize
604KB

Download
memory/2848-24-0x00000000002ED000-0x00000000002F5000-memory.dmp

Filesize
32KB

Download
memory/2848-25-0x00000000002E0000-0x000000000034A000-memory.dmp

Filesize
424KB

Download
memory/2848-35-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2848-21-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2848-22-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/2848-20-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/2848-34-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/2848-117-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/3024-205-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3024-204-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3024-207-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/3024-208-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download