General

  • Target

    832d978014c07968af25330f4df44654b1c5c7a3c3d6cbf62b21d967bbc3e4dc

  • Size

    389KB

  • Sample

    240715-ek96waxbkk

  • MD5

    1d0b005c8243b284d26f0489d09cd7b0

  • SHA1

    fb029d37b701d415cfe1aa37d19eeaf2e6b5f1be

  • SHA256

    832d978014c07968af25330f4df44654b1c5c7a3c3d6cbf62b21d967bbc3e4dc

  • SHA512

    6482c337895cadfe4aa7abb606424320e0f9d41771d6dbf61be8d768420dda70255c3eebb08da69a8d5a9463d9ac33a5c14af089f63c3dc2be4faf6dc4258b02

  • SSDEEP

    6144:eF+q1cctSqH6rC8sRA8WBZY/OEMW68rLF9fANc0+p/ACiJQMP2di8UEO:eVtS7rCxMMzXPfANc0g/ACTJi8UEO

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://85.28.47.101

Attributes
  • url_path

    /f3ee98d7eec07fb9.php

Targets

    • Target

      832d978014c07968af25330f4df44654b1c5c7a3c3d6cbf62b21d967bbc3e4dc

    • Size

      389KB

    • MD5

      1d0b005c8243b284d26f0489d09cd7b0

    • SHA1

      fb029d37b701d415cfe1aa37d19eeaf2e6b5f1be

    • SHA256

      832d978014c07968af25330f4df44654b1c5c7a3c3d6cbf62b21d967bbc3e4dc

    • SHA512

      6482c337895cadfe4aa7abb606424320e0f9d41771d6dbf61be8d768420dda70255c3eebb08da69a8d5a9463d9ac33a5c14af089f63c3dc2be4faf6dc4258b02

    • SSDEEP

      6144:eF+q1cctSqH6rC8sRA8WBZY/OEMW68rLF9fANc0+p/ACiJQMP2di8UEO:eVtS7rCxMMzXPfANc0g/ACTJi8UEO

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks