Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11/08/2024, 00:54 UTC

General

  • Target

    build.exe

  • Size

    1.6MB

  • MD5

    ff6ccb1779a4746097c903cc4990cde9

  • SHA1

    6fafe17c197a7db965c0b54964e79007be4c59e4

  • SHA256

    615a6d34654e5f71fb42425485e13211a54dda151f901d30b09c6064edbd2102

  • SHA512

    0f980580a1b85efaebc8b0371325f74fc6d1c5a39d3a05dd141bfdb34837c8670c41db578ca0e15da06d27d19d273482c724031edfbe958d834646f067903d15

  • SSDEEP

    49152:JkTq24GjdGSiqkqXfd+/9AqYanieKdsB:J1EjdGSiqkqXf0FLYW

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1271994618187350106/NlTUFVTKg-sY-yt64wtu-kLBb-kh48Vr2qN8wrwwxhsKUHrF0qUb4nuI_FCeU5gNVv8o

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2624
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1936
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show profile
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        PID:2208
      • C:\Windows\SysWOW64\findstr.exe
        findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2196
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1720
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show networks mode=bssid
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1504
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 2080
      2⤵
      • Program crash
      PID:1604
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2836
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2060

Network

  • flag-us
    DNS
    discord.com
    build.exe
    Remote address:
    8.8.8.8:53
    Request
    discord.com
    IN A
    Response
    discord.com
    IN A
    162.159.135.232
    discord.com
    IN A
    162.159.128.233
    discord.com
    IN A
    162.159.136.232
    discord.com
    IN A
    162.159.137.232
    discord.com
    IN A
    162.159.138.232
  • flag-us
    GET
    https://discord.com/api/webhooks/1271994618187350106/NlTUFVTKg-sY-yt64wtu-kLBb-kh48Vr2qN8wrwwxhsKUHrF0qUb4nuI_FCeU5gNVv8o
    build.exe
    Remote address:
    162.159.135.232:443
    Request
    GET /api/webhooks/1271994618187350106/NlTUFVTKg-sY-yt64wtu-kLBb-kh48Vr2qN8wrwwxhsKUHrF0qUb4nuI_FCeU5gNVv8o HTTP/1.1
    Host: discord.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 11 Aug 2024 00:54:53 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: __dcfduid=523472e2577c11efa978debb05823ef1; Expires=Fri, 10-Aug-2029 00:54:53 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
    x-ratelimit-limit: 5
    x-ratelimit-remaining: 4
    x-ratelimit-reset: 1723337695
    x-ratelimit-reset-after: 1
    vary: Accept-Encoding
    via: 1.1 google
    alt-svc: h3=":443"; ma=86400
    Last-Modified: Sun, 11 Aug 2024 00:54:53 GMT
    CF-Cache-Status: EXPIRED
    Expires: Sun, 11 Aug 2024 04:54:53 GMT
    Cache-Control: public, max-age=14400
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RHVk72rKgx3X5fMIoAcajNGCPC388K6HvPe92o1LtcAVjw6JJfiBQwNLoNEGMGizoDzfJ7VCkYWBWNYP0KdkQja9msXCW072lrx%2FuRhpn5ZS%2Flv1KTt39dDkWFFI"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Content-Type-Options: nosniff
    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
    Set-Cookie: __sdcfduid=523472e2577c11efa978debb05823ef140e572e366c4d634d1fbbacb688bf9c1045cf851077e0605a7b5205cb6f4c19b; Expires=Fri, 10-Aug-2029 00:54:53 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
    Set-Cookie: __cfruid=2295b508455638c93c785d5e9153a67f5f337417-1723337693; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Set-Cookie: _cfuvid=PYe08ZOkpmVhwJZVIRvdm8R5LHSELmYpefYU974iuZg-1723337693903-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Server: cloudflare
    CF-RAY: 8b1441c9fee445a1-LHR
  • flag-us
    DNS
    icanhazip.com
    build.exe
    Remote address:
    8.8.8.8:53
    Request
    icanhazip.com
    IN A
    Response
    icanhazip.com
    IN A
    104.16.184.241
    icanhazip.com
    IN A
    104.16.185.241
  • flag-us
    GET
    http://icanhazip.com/
    build.exe
    Remote address:
    104.16.184.241:80
    Request
    GET / HTTP/1.1
    Host: icanhazip.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 11 Aug 2024 00:54:55 GMT
    Content-Type: text/plain
    Content-Length: 14
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET
    Set-Cookie: __cf_bm=EUpUSOYFHszyBfzsJztrAnPltJNnvBqJgKs3ondEh7c-1723337695-1.0.1.1-d0JlOXsPCaQ9EkE4AAyj_1G7CqywQ67.von4FWKCMUcLhOsG2TkwNXxz0pyzsYFs8H8AJVKpFAaOR4YCN.I01g; path=/; expires=Sun, 11-Aug-24 01:24:55 GMT; domain=.icanhazip.com; HttpOnly
    Server: cloudflare
    CF-RAY: 8b1441d33f1b778f-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    2.16.170.123
    a1363.dscg.akamai.net
    IN A
    2.16.170.49
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    2.16.170.123:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: 5xIscz+eN7ugykyYXOEdbQ==
    Last-Modified: Thu, 11 Jul 2024 01:45:51 GMT
    ETag: 0x8DCA14B323B2CC0
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 546be232-c01e-0078-1f3a-d3f412000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sun, 11 Aug 2024 00:54:56 GMT
    Connection: keep-alive
  • flag-us
    DNS
    csc3-2004-crl.verisign.com
    Remote address:
    8.8.8.8:53
    Request
    csc3-2004-crl.verisign.com
    IN A
    Response
  • flag-us
    GET
    http://icanhazip.com/
    build.exe
    Remote address:
    104.16.184.241:80
    Request
    GET / HTTP/1.1
    Host: icanhazip.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 11 Aug 2024 00:54:57 GMT
    Content-Type: text/plain
    Content-Length: 14
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET
    Set-Cookie: __cf_bm=pclttlPNKcFLeLbpl2CFCz1H0tHxfKLCiJ2KSFYiOJA-1723337697-1.0.1.1-i631kq4cQYszTiDfLz5A3Sny6NJSvB952M7KQV9eN2_fVe3BIrfnd0jaonCUlMrcGVc1_poNYiMeh_F7D6doNg; path=/; expires=Sun, 11-Aug-24 01:24:57 GMT; domain=.icanhazip.com; HttpOnly
    Server: cloudflare
    CF-RAY: 8b1441e2bed963ec-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    api.gofile.io
    build.exe
    Remote address:
    8.8.8.8:53
    Request
    api.gofile.io
    IN A
    Response
    api.gofile.io
    IN A
    51.38.43.18
    api.gofile.io
    IN A
    45.112.123.126
  • 162.159.135.232:443
    https://discord.com/api/webhooks/1271994618187350106/NlTUFVTKg-sY-yt64wtu-kLBb-kh48Vr2qN8wrwwxhsKUHrF0qUb4nuI_FCeU5gNVv8o
    tls, http
    build.exe
    918 B
    5.2kB
    10
    10

    HTTP Request

    GET https://discord.com/api/webhooks/1271994618187350106/NlTUFVTKg-sY-yt64wtu-kLBb-kh48Vr2qN8wrwwxhsKUHrF0qUb4nuI_FCeU5gNVv8o

    HTTP Response

    200
  • 104.16.184.241:80
    http://icanhazip.com/
    http
    build.exe
    293 B
    708 B
    5
    4

    HTTP Request

    GET http://icanhazip.com/

    HTTP Response

    200
  • 2.16.170.123:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    445 B
    1.7kB
    5
    4

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 104.16.184.241:80
    http://icanhazip.com/
    http
    build.exe
    269 B
    708 B
    5
    4

    HTTP Request

    GET http://icanhazip.com/

    HTTP Response

    200
  • 51.38.43.18:443
    api.gofile.io
    tls
    build.exe
    385 B
    219 B
    5
    5
  • 8.8.8.8:53
    discord.com
    dns
    build.exe
    57 B
    137 B
    1
    1

    DNS Request

    discord.com

    DNS Response

    162.159.135.232
    162.159.128.233
    162.159.136.232
    162.159.137.232
    162.159.138.232

  • 8.8.8.8:53
    icanhazip.com
    dns
    build.exe
    59 B
    91 B
    1
    1

    DNS Request

    icanhazip.com

    DNS Response

    104.16.184.241
    104.16.185.241

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
    162 B
    1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    2.16.170.123
    2.16.170.49

  • 8.8.8.8:53
    csc3-2004-crl.verisign.com
    dns
    72 B
    127 B
    1
    1

    DNS Request

    csc3-2004-crl.verisign.com

  • 8.8.8.8:53
    api.gofile.io
    dns
    build.exe
    59 B
    91 B
    1
    1

    DNS Request

    api.gofile.io

    DNS Response

    51.38.43.18
    45.112.123.126

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\1570fc3c80a26086bd046c3ae802bffb\Admin@FMEDFXFE_en-US\Browsers\Firefox\Bookmarks.txt

    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

  • C:\Users\Admin\AppData\Local\1570fc3c80a26086bd046c3ae802bffb\Admin@FMEDFXFE_en-US\Directories\Startup.txt

    Filesize

    24B

    MD5

    68c93da4981d591704cea7b71cebfb97

    SHA1

    fd0f8d97463cd33892cc828b4ad04e03fc014fa6

    SHA256

    889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

    SHA512

    63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

  • C:\Users\Admin\AppData\Local\1570fc3c80a26086bd046c3ae802bffb\Admin@FMEDFXFE_en-US\Directories\Videos.txt

    Filesize

    23B

    MD5

    1fddbf1169b6c75898b86e7e24bc7c1f

    SHA1

    d2091060cb5191ff70eb99c0088c182e80c20f8c

    SHA256

    a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

    SHA512

    20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

  • C:\Users\Admin\AppData\Local\1570fc3c80a26086bd046c3ae802bffb\Admin@FMEDFXFE_en-US\System\Apps.txt

    Filesize

    6KB

    MD5

    0da9127356b75fac792d832a2ae507f6

    SHA1

    3290deee9c95765a1d1a157549ea13666cbd4911

    SHA256

    8fb40a964f2fa2b1a2fa7f06fd48104ea3fc69016a2bd9799901f46a2943a194

    SHA512

    208a342bada8c17cb48b015ec09da11c23de413f162aef8441a636b05a424c480a4394dd25f424846b16260b85c6df3a3e72dd74362fd8b85da484cbd43ff4eb

  • C:\Users\Admin\AppData\Local\1570fc3c80a26086bd046c3ae802bffb\Admin@FMEDFXFE_en-US\System\Debug.txt

    Filesize

    1KB

    MD5

    93bd9d83543dcbe74b8153cd7d147989

    SHA1

    a2651f851878532bdb22878330b35c00d4c85705

    SHA256

    38d5dd6799dd176df93e353f401d354ba0048cb11ee72a22fa2663c73e6a81c4

    SHA512

    a773766c8921fff5e179a54c280b6b234912dedce1348ff49e5ac2e6e05250a32a06fe0674fa588bc2168737850a9596db8b9f2592c3f5b163c374c5ad8b417b

  • C:\Users\Admin\AppData\Local\1570fc3c80a26086bd046c3ae802bffb\Admin@FMEDFXFE_en-US\System\ProductKey.txt

    Filesize

    29B

    MD5

    cad6c6bee6c11c88f5e2f69f0be6deb7

    SHA1

    289d74c3bebe6cca4e1d2e084482ad6d21316c84

    SHA256

    dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

    SHA512

    e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

  • C:\Users\Admin\AppData\Local\Temp\Cab4443.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar4465.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/2624-45-0x0000000002040000-0x000000000204A000-memory.dmp

    Filesize

    40KB

  • memory/2624-171-0x0000000005910000-0x000000000598A000-memory.dmp

    Filesize

    488KB

  • memory/2624-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

    Filesize

    4KB

  • memory/2624-46-0x0000000002050000-0x0000000002058000-memory.dmp

    Filesize

    32KB

  • memory/2624-47-0x0000000002060000-0x000000000207E000-memory.dmp

    Filesize

    120KB

  • memory/2624-9-0x0000000000610000-0x0000000000636000-memory.dmp

    Filesize

    152KB

  • memory/2624-8-0x0000000005370000-0x0000000005402000-memory.dmp

    Filesize

    584KB

  • memory/2624-10-0x0000000000640000-0x0000000000648000-memory.dmp

    Filesize

    32KB

  • memory/2624-241-0x0000000074AC0000-0x00000000751AE000-memory.dmp

    Filesize

    6.9MB

  • memory/2624-239-0x00000000073F0000-0x00000000074A2000-memory.dmp

    Filesize

    712KB

  • memory/2624-2-0x0000000074AC0000-0x00000000751AE000-memory.dmp

    Filesize

    6.9MB

  • memory/2624-1-0x00000000002E0000-0x0000000000472000-memory.dmp

    Filesize

    1.6MB

  • memory/2836-6-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/2836-7-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.