Overview

overview

10

Static

static

10

build.exe

windows7-x64

10

build.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 23:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    build.exe

  • Size

    1.6MB

  • MD5

    d9670844cad10be9f3008a72fa006e34

  • SHA1

    145fdb5807e66422e7a814e812ea09419a63f298

  • SHA256

    ebaa47a7f0ab0f5d1dbf8d61df5a1b4a3bfabdeca1a1cc70d587299bf4e73041

  • SHA512

    88c0e531fd65b93d4b82e2eec695a43a3d3ec8ef7635b0d4fa3d705a9a89154ab3620418656b0d89feed5e3ab1f0095d338774e64e489e543f4c280e5676c211

  • SSDEEP

    49152:skTq24GjdGSiqkqXfd+/9AqYanieKds7:s1EjdGSiqkqXf0FLYW

Score
10/10
stealeriumcollectioncredential_accessdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1274512924068675698/k-mmnbAfmlw_5PiLvw0QEDofdnNxg1aIa2f2zajaYrszuQMh4orlZvtuJP2WIFM3Y1nF

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1212
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious use of WriteProcessMemory
      PID:3200
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:868
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show profile
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        PID:640
      • C:\Windows\SysWOW64\findstr.exe
        findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2412
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5076
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show networks mode=bssid
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4156
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 2756
      2⤵
      • Program crash
      PID:4252
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4092
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1212 -ip 1212
    1⤵
      PID:440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\13e2316127434cf7503388d22648bdf6\Admin@PVMNUDVD_en-US\Browsers\Firefox\Bookmarks.txt
      Filesize

      105B

      MD5

      2e9d094dda5cdc3ce6519f75943a4ff4

      SHA1

      5d989b4ac8b699781681fe75ed9ef98191a5096c

      SHA256

      c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

      SHA512

      d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

      Download Submit

    • C:\Users\Admin\AppData\Local\13e2316127434cf7503388d22648bdf6\Admin@PVMNUDVD_en-US\Directories\OneDrive.txt
      Filesize

      25B

      MD5

      966247eb3ee749e21597d73c4176bd52

      SHA1

      1e9e63c2872cef8f015d4b888eb9f81b00a35c79

      SHA256

      8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

      SHA512

      bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

      Download Submit

    • C:\Users\Admin\AppData\Local\13e2316127434cf7503388d22648bdf6\Admin@PVMNUDVD_en-US\Directories\Startup.txt
      Filesize

      24B

      MD5

      68c93da4981d591704cea7b71cebfb97

      SHA1

      fd0f8d97463cd33892cc828b4ad04e03fc014fa6

      SHA256

      889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

      SHA512

      63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

      Download Submit

    • C:\Users\Admin\AppData\Local\13e2316127434cf7503388d22648bdf6\Admin@PVMNUDVD_en-US\Directories\Videos.txt
      Filesize

      23B

      MD5

      1fddbf1169b6c75898b86e7e24bc7c1f

      SHA1

      d2091060cb5191ff70eb99c0088c182e80c20f8c

      SHA256

      a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

      SHA512

      20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

      Download Submit

    • C:\Users\Admin\AppData\Local\13e2316127434cf7503388d22648bdf6\Admin@PVMNUDVD_en-US\System\Apps.txt
      Filesize

      6KB

      MD5

      15b6f4e1af2e359f2faebed1bc51b661

      SHA1

      eb653d689e2a7a8182dbce5f9a9df9cfa8b91a51

      SHA256

      5a747271b0b451588c0e005966271d62d551b9f5c8fddbdf567788229f1c98de

      SHA512

      475261c3c7d67e2e41490a41c55e8eeb0073577e93e5886286f0c610ef5b18914e161f5b9f2add1daa181e96cb243809a202117f3b6dac2526c409cdeeb02b4e

      Download Submit

    • C:\Users\Admin\AppData\Local\13e2316127434cf7503388d22648bdf6\Admin@PVMNUDVD_en-US\System\Debug.txt
      Filesize

      1KB

      MD5

      18237ea8a45f405b3371ebbdf317cb61

      SHA1

      4295185dc77921dcb7071faff0f98f89cf4565ad

      SHA256

      cc441f3a846370221e027a687157165cae2d06b824e3de66a333a6bb092eea70

      SHA512

      55df1779f8dc62f41f01a24b3ab8b70cd5c894174f27f8753e4672f13f55b4bb014962bd61d006dba6fb8238ccfd80bcb277f1b4e87905c9e724a458d06935ed

      Download Submit

    • C:\Users\Admin\AppData\Local\13e2316127434cf7503388d22648bdf6\Admin@PVMNUDVD_en-US\System\Process.txt
      Filesize

      4KB

      MD5

      754f4291b639bd431ce1fe81ea9edbb5

      SHA1

      5d5512994872ee8e17e26907fe6188279c93ab7e

      SHA256

      f048cc925ee6ac847705f3762e0294fb060aff9e56d55e0ab608845abff0ff22

      SHA512

      fcd0a32150030cf20fbbbe0448c5e2825c71af717f4afb05a0b701b34dff889438364aacc945224ab16ad928316065e9b3841c588a79949aff26c7f433a13bac

      Download Submit

    • C:\Users\Admin\AppData\Local\13e2316127434cf7503388d22648bdf6\Admin@PVMNUDVD_en-US\System\ProductKey.txt
      Filesize

      29B

      MD5

      71eb5479298c7afc6d126fa04d2a9bde

      SHA1

      a9b3d5505cf9f84bb6c2be2acece53cb40075113

      SHA256

      f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

      SHA512

      7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

      Download Submit

    • memory/1212-10-0x0000000005F60000-0x0000000005F68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1212-70-0x0000000007690000-0x0000000007722000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1212-13-0x0000000007010000-0x000000000702E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1212-2-0x0000000005950000-0x00000000059B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1212-14-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1212-209-0x00000000071F0000-0x000000000726A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/1212-76-0x0000000008070000-0x0000000008614000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1212-11-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1212-1-0x0000000000DF0000-0x0000000000F82000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1212-12-0x0000000006FF0000-0x0000000006FF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1212-0-0x000000007480E000-0x000000007480F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1212-9-0x0000000005F30000-0x0000000005F56000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1212-8-0x0000000005EA0000-0x0000000005F32000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1212-7-0x000000007480E000-0x000000007480F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1212-3-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1212-282-0x00000000074F0000-0x00000000075A2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1212-284-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

      Download