General

  • Target

    updateload.exe_pw_infected.zip

  • Size

    3.2MB

  • Sample

    240804-shs2gasejb

  • MD5

    dd018fa1b27702d4143334c521ebd271

  • SHA1

    24e0c1cba534afa6acfc5bed65caa45b119b1993

  • SHA256

    eed11e118470e6c53e146514029694e8cff135f02624782cfc48f9f1d2eb10ea

  • SHA512

    18450c372704fa5c53e80187b5600519091d4f6ad7051a107b6bb53f56fb74c3407162a3c5ec6c3351efb75687335aedda1e4de1aa26eaeaa42991facd2093b3

  • SSDEEP

    98304:WH1c3+BKVmvQpwmfXZQhYbMI+cPKyh9ZtswbddHga9:WH6+BKAQemfJQ2d+cPVfnbdFj9

Malware Config

Extracted

Family

stealc

Botnet

meowsterioland3

C2

http://45.152.112.131

Attributes
  • url_path

    /8ee66a3c8f19e4b5.php

Targets

    • Target

      0x000c0000000234ed-1063

    • Size

      7.1MB

    • MD5

      f6c26e56c21e80ece28c34c1491cd173

    • SHA1

      2cb59f35292b92d79c6a4c569c58b5871bd9bf94

    • SHA256

      a88e34617a82ee8f03c33ded79042a0d8f4655daf4de40d819e74448f9c34fc1

    • SHA512

      2228aa271ca678d7db627a39f8affcdc7266123ddd99da357b60a37d0b77a2a78509184a3cc302064a88ba225dee61ba43e4ae7e64546cc816845d92ad15b5b6

    • SSDEEP

      98304:diMrdaUIJ3sxQvmzLvqwBOZTcjgxffDjqJLzEw5blkyD9OQUYn:Yi68xQ+zLJOZwjgZbeB0Yn

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Stealc

      Stealc is an infostealer written in C++.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks