General

  • Target

    4013211626

  • Size

    9KB

  • Sample

    240721-scrw8atfpe

  • MD5

    2dc87ce29e5569453880ebfb036c6dca

  • SHA1

    7e0ca6b568ae925949da6992e89d9081c80adf38

  • SHA256

    b4c0c782d222e4d6f12f880cc36adaeb85fc6e1c0dbbbda94483ca441b386c32

  • SHA512

    37e8a05f543577846977c7d4d4f77e08d5184099f65cb7c964a1afb711789c06d92bff12491ba45e3331157ddc29626e3878d3eb986ab7e05fc679f2dd25911d

  • SSDEEP

    192:rJHP+ws7Ai7A1+FK9fvfjvJcjdYj8exLj1ElCBtV+fXbCSZnw5:pP+wskik1+F+saNOZo

Malware Config

Extracted

Family

stealc

Botnet

doralands20

C2

http://188.130.207.115

Attributes
  • url_path

    /8b4c5bd1ddc1cb18.php

Targets

    • Target

      4013211626

    • Size

      9KB

    • MD5

      2dc87ce29e5569453880ebfb036c6dca

    • SHA1

      7e0ca6b568ae925949da6992e89d9081c80adf38

    • SHA256

      b4c0c782d222e4d6f12f880cc36adaeb85fc6e1c0dbbbda94483ca441b386c32

    • SHA512

      37e8a05f543577846977c7d4d4f77e08d5184099f65cb7c964a1afb711789c06d92bff12491ba45e3331157ddc29626e3878d3eb986ab7e05fc679f2dd25911d

    • SSDEEP

      192:rJHP+ws7Ai7A1+FK9fvfjvJcjdYj8exLj1ElCBtV+fXbCSZnw5:pP+wskik1+F+saNOZo

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Stealc

      Stealc is an infostealer written in C++.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks