Resubmissions

15-07-2024 08:26

240715-kbwj1sxbnj 5

14-07-2024 18:49

240714-xgrjgavflh 10

General

  • Target

    CheatKeys__Application_66941d6bd945d.zip

  • Size

    159.8MB

  • Sample

    240714-xgrjgavflh

  • MD5

    35d6439feb2e5ff5e7df97961f6b0297

  • SHA1

    8d86717151633ff9180136a4686554e672aede9f

  • SHA256

    1d4b32c4ba025e745eff6d741e7baa97f1b8ef190a1e028e1d8dca45a1b97de9

  • SHA512

    ee056bdfaeaf1f5aff255fe72f3c599222eb6e6aa33fd3eec1a95a3f59f819449158df43e8217e8d3b528f4ab89680dbdf9853fef36440c2c12fafcacb7822ac

  • SSDEEP

    3145728:0zkvMBiaLXxsfGxSfC8/VeG/SjiHd8rwYsWxn0kWfy1Eg3V:0zMeaexTAFq2HmrbsWcaEu

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://testyregerglegrjerg.top

Attributes
  • url_path

    /eb6f29c6a60b3865.php

Targets

    • Target

      CheatKeys__Application_66941d6bd945d.zip

    • Size

      159.8MB

    • MD5

      35d6439feb2e5ff5e7df97961f6b0297

    • SHA1

      8d86717151633ff9180136a4686554e672aede9f

    • SHA256

      1d4b32c4ba025e745eff6d741e7baa97f1b8ef190a1e028e1d8dca45a1b97de9

    • SHA512

      ee056bdfaeaf1f5aff255fe72f3c599222eb6e6aa33fd3eec1a95a3f59f819449158df43e8217e8d3b528f4ab89680dbdf9853fef36440c2c12fafcacb7822ac

    • SSDEEP

      3145728:0zkvMBiaLXxsfGxSfC8/VeG/SjiHd8rwYsWxn0kWfy1Eg3V:0zMeaexTAFq2HmrbsWcaEu

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks