Overview

overview

10

Static

static

10

Builder.exe

windows10-2004-x64

1

Builder.exe

windows10-2004-x64

10

Mono.Cecil.Mdb.dll

windows10-2004-x64

1

Mono.Cecil.Pdb.dll

windows10-2004-x64

1

Mono.Cecil.Rocks.dll

windows10-2004-x64

1

Mono.Cecil.dll

windows10-2004-x64

1

SixLabors....rp.dll

windows10-2004-x64

1

Spectre.Co...rp.dll

windows10-2004-x64

1

Spectre.Console.dll

windows10-2004-x64

1

Stub/stub.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Stealerium.zip

  • Size

    2.8MB

  • Sample

    240818-wb1drawbkf

  • MD5

    c956487c81dc16555e9232408efbe44d

  • SHA1

    9272088c2dc913b3c6e779a091755b07e7fa3050

  • SHA256

    49d8c623abc37dff7af7d7ea15fa66b27504f166b5bf7a2d486c41ce7923a722

  • SHA512

    1d1f77372991544e502bf6076a2e5c9cea0d80e2afc00a0f4efe97ebf9b74bb18e1b52b3ec02dd3de441fe3114dd3aa15f21fc421ddf93204571acd7b56af64c

  • SSDEEP

    49152:TLJVKzIWdYcV84L/iexLO3eVKxR96nmWbVdXVPYiuX7lT6wxkyq1Pdr+1DUeYrxR:TLJA1dbF8ussn1Vd9YBbxkyq1PF4UPR

Score
10/10
stealeriumcollectioncredential_accessdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1274780874680045578/bhfe26mHD3XGCS8CTpISEb0E1A5yMoNOahgflHtHPUAvEsuX0rxv0fPRDpfWfEHUdyMy

Targets

    • Target

      Builder.dll

    • Size

      216KB

    • MD5

      41dd506cd0525197e69d9c8592aed2a7

    • SHA1

      5d04b134c8f1800fbcd664898d34dee8d10d8fa8

    • SHA256

      dcd0162524ce4ae11f5c5e9b496e35ce6a096e5dea8e63b45fa835069737f87c

    • SHA512

      16ba073d871eb9a244b8e733c101e9fec98699d881440e0dfa661e9f331fda0789f232e4abd70dcff3649a5428049590461da83ab7f0078e3ed9c7fc2fbfb28b

    • SSDEEP

      6144:Klx3eDAIbr0K3xybL1tAj4PhFqFVfrRbP:Klx3mbr0P1tAj4P6r9

    Score
    1/10
    behavioral1

    • Target

      Builder.exe

    • Size

      146KB

    • MD5

      6c898b9e5467f6d3442a579b7856bdaf

    • SHA1

      9522f2f219deaf4bb52262c2a5d23393037ec35f

    • SHA256

      8bf6beb962bf051de009059554aa265012342bd6ec841abd2aa94ba1335a333f

    • SHA512

      df35d776b2df079a9440ac1b0435e0fe9e4f1c17ee0790b1057ede8f146d90889c1fe727cd5112b27b2f4e96903c83f8ef7d61bc359aa762b708d17ad7676c41

    • SSDEEP

      3072:Iczkitvo4BpYN/6mBPry8TXROLdW5m4mURQ9OOGJ0kj:IA4NCmBPry/N2cOOI

    Score
    10/10
    stealeriumcollectioncredential_accessdiscoverypersistenceprivilege_escalationspywarestealer

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral2

    • Target

      Mono.Cecil.Mdb.dll

    • Size

      38KB

    • MD5

      0c2d7a3d146e193d7b8e50f0fe398568

    • SHA1

      bf0a6ab31388eab1ffd3cd87fae62b45e90cba24

    • SHA256

      2bda97fc302904bf235d631e698a0c81324872dfad2a38e63ef66389155bfcf4

    • SHA512

      5fdc45ae536955e6f66970b35008ce15c5c5624d0b31bd41c79d6548d0d1b950042f51fe7dbbbc33a6256f90f5db23bf0070abe24502a050505be66f086d6df0

    • SSDEEP

      768:ArF3HuZyOt78PeWSTkazhOOgfGNOV/pVxPRpaCCrHpTFuzL4oWB:ArFecOt78PeWC8OgfGkVh6pTcL4oWB

    Score
    1/10
    behavioral3

    • Target

      Mono.Cecil.Pdb.dll

    • Size

      87KB

    • MD5

      625ce2e8be214194a161fe80e6eca7d0

    • SHA1

      58944e03ee249618e9440545623c4545777377f7

    • SHA256

      333397769114ffd13046a25b9cfffd41c44a3450ea9ea1fd13b76eec28e1a815

    • SHA512

      c324ea36e4a89a6052f685e4f96527323ab6f4eea4f4c70c71f08a84df2d46332d91c3f289463502887d9b098dc6e69036c322630b770531927d5329873b250f

    • SSDEEP

      1536:mffXkeOyX+6C5S6R7nQSALYKXNgJGsZaBcLevjCXeo:ao5S6R7nNArWJGPBEeveXeo

    Score
    1/10
    behavioral4

    • Target

      Mono.Cecil.Rocks.dll

    • Size

      26KB

    • MD5

      6fc634673b94c7ddde6e2ba277f7e7c7

    • SHA1

      f29feb86a8595d104b3b1b4be809f6e9fbc8f042

    • SHA256

      a6d3e6eab8d89dbd6fcf34268a08a6544ea142b6bcc5f665bee62317786b7892

    • SHA512

      51f4782d7a8e2b3ffbb8fedddcfe85379e5adc499a2fd55c29e29628ca9519c33a33daf806eb3b8d01cfc10c964c1cd2558152c000c7ed2a8584f36c58f31c51

    • SSDEEP

      768:tkU1iy+QMBCocUuk0ThROoUheLXG99gmIt:tkUCCo/KjOoUhpg

    Score
    1/10
    behavioral5

    • Target

      Mono.Cecil.dll

    • Size

      351KB

    • MD5

      6d8d43c5d7dbe36ec01ff8b951cf1e0a

    • SHA1

      d6b8214419870770e1ce398ca06a6a9f0e9e62a3

    • SHA256

      9c2908709da6761e9b5b9d4d46102d65851145bac987787d6c5a05ffe5689487

    • SHA512

      221955b05d83513fadcb79721c96fd467ea871cfa401b279dc8ade426c88df4cadc884dae7a9c418c1012af202263f31ce8b63ca919e1f725eb7c7e8008c3a57

    • SSDEEP

      6144:eCDxMlG40kOSV1L6RWDv2F2AEJHwBI+aB:rG1J1LQFLE0I+

    Score
    1/10
    behavioral6

    • Target

      SixLabors.ImageSharp.dll

    • Size

      1.7MB

    • MD5

      523dced95fcb0120698fc194b159a5cd

    • SHA1

      9f6e4c7269caaf2e09b6961551102b1ec16e60a0

    • SHA256

      0d19e3bc90153b7d0360360422355daa569209180dd1e4337f2431148d1d7219

    • SHA512

      325c9c3a316852ea6156a07317a64e369048dc7cfea21e9ea87f8723cf37515f0dfc0a31ab3bf07155ea27938d426c9832c1fcba1ab6c96573cc44eacfa05255

    • SSDEEP

      24576:3ruzK1lGe+34AbXwX8WcaMX07Bpu39DhpsRalM9FHBjDkck3IegDkspo4fVz:3oo6WcaMX0zYUkY

    Score
    1/10
    behavioral7

    • Target

      Spectre.Console.ImageSharp.dll

    • Size

      16KB

    • MD5

      099edbe28aaacada8a7a12a414a1d68b

    • SHA1

      0cc1b8ed4448f4c7246dc859a6359fda20c2d927

    • SHA256

      52fef316879f90a3897ec33b8a6ca955bd720c8fe53b4479be01b70fcb7d26ee

    • SHA512

      07995720bc9e5d3b253b5cbe3f2700978950a81819d5064c25fbb6fe860c1cd1b32379136a390ab85f4612d82d4b256ba2d8c46cccdf9de04aab16135c2d6fe5

    • SSDEEP

      192:SZPAaThmPOaYDr59CUkZNd2AFSm8gCHWjPWfNx6CzOiUYvj4WLwTMVGqy5L5BR5/:iPAaWhq2PX2B1gC2KD6lY8WETKEX

    Score
    1/10
    behavioral8

    • Target

      Spectre.Console.dll

    • Size

      693KB

    • MD5

      46684228e7c345a3368e8a475ec573b7

    • SHA1

      aef278fbd7b3f6a65227c7b6b64eb6d88f6cc433

    • SHA256

      b9617847d85b8efe32d07c4c28f1d16cadd4bfe45a09fd1e24eb82505f913257

    • SHA512

      ce3ca4c8250bca3e97713d4047d0d874b3b6430014fbc3078b34a9f701a9eaa4b5e990ff99864c19b41eba1dfad74e0f6f1a464bef7b3d5ad825dfcb91b3da31

    • SSDEEP

      12288:YqVvbKRNvezf2ZOIyY37mkrGpmiv+Y66i7oE4z6kX:nURNvU+SkUQ6icEl

    Score
    1/10
    behavioral9

    • Target

      Stub/stub.exe

    • Size

      1.6MB

    • MD5

      6627adf7167ee571e8fd6c8b1a0e8ae3

    • SHA1

      03b9112660ee73c59d84e219f15bf24ae9df48db

    • SHA256

      6c5935bcddaa1d4f809487f66db758e892cc0a7fd7704d138904bc879644ea1f

    • SHA512

      e05896a6e0d09d4dafeb2467395ca06ae1e728a4aa079041dea82940caeb71646984604fdeea482748423b10257b8462db4f573682f9f719939143fdb5691c60

    • SSDEEP

      49152:19Tq24GjdGSiqkqXfd+/9AqYanieKd0U:1YEjdGSiqkqXf0FLYW

    Score
    10/10
    stealeriumdiscoverystealer

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral10

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

3
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

3
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

5
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks