stealc | 1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2

General

Target

1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe
Size

268KB
MD5

fbe22ae7b62aaab2e6ccbb60c9399d1d
SHA1

2ec9b7706a2c7df043ebd570f2aabb02bd49fd45
SHA256

1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2
SHA512

36d1db03f4d51d98b8220e7aa9e2083b6f88a6f019093f258274acbf8e804a0d882da998adefb291d0c213701ed051d48979b47c4886a384397275f374147d60
SSDEEP

3072:tuhu304GAUMd+w0SLHp4o6njQJp2m2ostoRfAI3iuaU9tRHcro:0Y304GApg2p/0jQJpCo9FiuaG

Score

10^/10

stealc soft discovery stealer

Malware Config

Extracted

Family

stealc

Botnet

soft

C2

https://steamcommunity.com/profiles/76561198035868993

Attributes

url_path
/43e1e04e93874aba.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2452 set thread context of 2152	2452	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2052	2152	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2152	2452	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe	31
PID 2452 wrote to memory of 2152	2452	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe	31
PID 2452 wrote to memory of 2152	2452	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe	31
PID 2452 wrote to memory of 2152	2452	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe	31
PID 2452 wrote to memory of 2152	2452	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe	31
PID 2452 wrote to memory of 2152	2452	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe	31
PID 2452 wrote to memory of 2152	2452	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe	31
PID 2452 wrote to memory of 2152	2452	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe	31
PID 2452 wrote to memory of 2152	2452	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe	31
PID 2452 wrote to memory of 2152	2452	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe	31
PID 2452 wrote to memory of 2152	2452	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe	31
PID 2452 wrote to memory of 2152	2452	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe	31
PID 2452 wrote to memory of 2152	2452	1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe	31
PID 2152 wrote to memory of 2052	2152	RegAsm.exe	32
PID 2152 wrote to memory of 2052	2152	RegAsm.exe	32
PID 2152 wrote to memory of 2052	2152	RegAsm.exe	32
PID 2152 wrote to memory of 2052	2152	RegAsm.exe	32

C:\Users\Admin\AppData\Local\Temp\1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe
"C:\Users\Admin\AppData\Local\Temp\1347a330c618a1e846b928e0e3f29a5f9c333d69f73a1cef6a5365f51f5a85a2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 252
    3⤵
    - Program crash
    PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2152-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2152-11-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2152-16-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2152-15-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2152-8-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2152-7-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2152-3-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2152-4-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2152-5-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2452-1-0x00000000010B0000-0x00000000010F4000-memory.dmp

Filesize
272KB

Download
memory/2452-14-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/2452-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/2452-17-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing