Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
01-09-2024 21:37
General
-
Target
2temp356.exe
-
Size
7.6MB
-
MD5
4c7fa6d1969c22e6eb4423e61b5362bf
-
SHA1
cb8c74194e13b0c45378f2d6e306c93bf426295f
-
SHA256
9c6d82574506dff981e52381327a153a5a989dfaa74c8a080473575f050395b2
-
SHA512
5c98c3999b7e84a7f0e4fe01ffb116da6dce16fcdce5cec1afeceaaeab67e889858c984af57babc0ececa966c497e05c5b9f4efb2ac6baa337adc8d27d780c45
-
SSDEEP
196608:oJTLQirzOtf8Inwg3TafmeZjYYRvoBZ1XchFky4QdQoFs4FxFbVI:oJTLFzOtf8Inwg3TafmeZjYYRoBZ9cK9
Malware Config
Extracted
stealc
benjiworld29
http://5.188.87.35
-
url_path
/3d7617bd9d626b25.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 2 IoCs
-
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Stealc
Stealc is an infostealer written in C++.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2temp356.exe"C:\Users\Admin\AppData\Local\Temp\2temp356.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
907KB
MD550b1d0b22ee487a8a5ebc4455189ace0
SHA12607e2c7cf1b577b53f44c896980848a12b1397e
SHA256c38e25543b4f45d6117fe4bfef61bef5282c2df17690d051248fa9abe312bc44
SHA51288a90370902ce1ec0580ab65a02e515e218412c3c00b1ad65c4b0541059a883ea494822ac987abe7a1e2ad9d99a2085d632fde04eef8a4560669149be170ca6e
-
Filesize
2.0MB
-
Filesize
56KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
56KB
-
Filesize
1.5MB
-
Filesize
7.7MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
2.3MB
-
Filesize
4.2MB
-
Filesize
972KB
-
Filesize
32KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.0MB