General

  • Target

    a3db4b88cd5892c2b86cf6b0a1f64dbbbd02b06ecd5ead6679aec662ff0d16e0

  • Size

    389KB

  • Sample

    240715-fnqr3ssalh

  • MD5

    b6df411ced924b1cfcabd54d3286ca8f

  • SHA1

    ca13fb04c1d9693b99222a9ef448dc3eae767ccd

  • SHA256

    a3db4b88cd5892c2b86cf6b0a1f64dbbbd02b06ecd5ead6679aec662ff0d16e0

  • SHA512

    5103451b87a65584de4e6fb543d828392152a82a007dba5173e52c35f9c3b8118db63b36d79c0c9466b5532692aa23b6f05cea5c654f7b5ebc0676f9cf236429

  • SSDEEP

    6144:QlYLVyMiFkeLnCUcx/IcoN6OpMW6TBFZP39quZ0m6AdKKuF9XChxbTJEZ2di87EO:QeiFHnC5GCBbxZyAoVF9Xyfti87EO

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://85.28.47.101

Attributes
  • url_path

    /f3ee98d7eec07fb9.php

Targets

    • Target

      a3db4b88cd5892c2b86cf6b0a1f64dbbbd02b06ecd5ead6679aec662ff0d16e0

    • Size

      389KB

    • MD5

      b6df411ced924b1cfcabd54d3286ca8f

    • SHA1

      ca13fb04c1d9693b99222a9ef448dc3eae767ccd

    • SHA256

      a3db4b88cd5892c2b86cf6b0a1f64dbbbd02b06ecd5ead6679aec662ff0d16e0

    • SHA512

      5103451b87a65584de4e6fb543d828392152a82a007dba5173e52c35f9c3b8118db63b36d79c0c9466b5532692aa23b6f05cea5c654f7b5ebc0676f9cf236429

    • SSDEEP

      6144:QlYLVyMiFkeLnCUcx/IcoN6OpMW6TBFZP39quZ0m6AdKKuF9XChxbTJEZ2di87EO:QeiFHnC5GCBbxZyAoVF9Xyfti87EO

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks