Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

240809-1t1vfs1cpm 10

06-08-2024 13:01

240806-p9f97szdlm 10

06-08-2024 12:52

240806-p3672stdkg 10

06-08-2024 12:29

240806-ppa8fsygqr 10

06-08-2024 12:26

240806-pmc92ashlh 10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    09-08-2024 21:57

General

  • Target

    1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe

  • Size

    161KB

  • MD5

    855da30648c0d4f4e2497470ece750bf

  • SHA1

    4f45dae1b578ddd47a0d62b59e5fbc9a4f11e58a

  • SHA256

    08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65

  • SHA512

    948b66613c1e494e445a8fb7eff553345385ca0cd468c500397ea7c3bd02bc6163930759b057f98c9245c118205e0166023fee4e13135ef677947619d184d393

  • SSDEEP

    3072:/9gyPX977bb+Vnh9N47rL74qBlslaubyAWEktPZsZ:/yMZPb+Vnh9CLtkauehEkf

Malware Config

Extracted

Family

stealc

Botnet

hello

C2

http://85.28.47.70

Attributes
  • url_path

    /570d5d5e8678366c.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1\08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
    "C:\Users\Admin\AppData\Local\Temp\1\08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 608
      2⤵
      • Program crash
      PID:2868

Network

    No results found
  • 85.28.47.70:80
    08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
    152 B
    120 B
    3
    3
  • 85.28.47.70:80
    08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
    152 B
    120 B
    3
    3
  • 85.28.47.70:80
    08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
    152 B
    120 B
    3
    3
  • 85.28.47.70:80
    08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
    152 B
    120 B
    3
    3
  • 85.28.47.70:80
    08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
    152 B
    120 B
    3
    3
  • 85.28.47.70:80
    08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
    152 B
    120 B
    3
    3
  • 85.28.47.70:80
    08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
    152 B
    120 B
    3
    3
  • 85.28.47.70:80
    08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
    152 B
    120 B
    3
    3
  • 85.28.47.70:80
    08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
    152 B
    120 B
    3
    3
  • 85.28.47.70:80
    08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
    152 B
    120 B
    3
    3
  • 85.28.47.70:80
    08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
    152 B
    120 B
    3
    3
  • 85.28.47.70:80
    08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
    152 B
    120 B
    3
    3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2552-0-0x0000000000B60000-0x0000000000D9C000-memory.dmp

    Filesize

    2.2MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.