Overview

overview

10

Static

static

1

f70af1ea3e...3d.exe

windows7-x64

10

f70af1ea3e...3d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ade16b249de80c5d8a459baaac67201c.bin

  • Size

    200KB

  • Sample

    240905-pepcbs1epb

  • MD5

    2a13548148a21f6b719c8c3fbad793e7

  • SHA1

    c26f2ee871fc0bbb0b8e988894bf8ccb05c3b7ce

  • SHA256

    edf6a05713ee101fc76c1190f5f5d1caffe25ef8a48964359e0bacaa88aa9987

  • SHA512

    f4d1368260f6cec91dc95e61caea94962fa615d27ea6893eaaf2be5b77b736758885d3cd98e358991621c6de45f7716daca665f290cc545db37702773f9633ed

  • SSDEEP

    6144:JrtKHrLCFyI3KfbgCoYJwDtIwJqzQd9+yvL:JrMHfCFyI3CgCRJwDtXYzk9+2L

Score
10/10
stealcdefaultcredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://147.45.47.137

Attributes
  • url_path

    /6ecdc9436941ebbd.php

Targets

    • Target

      f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe

    • Size

      206KB

    • MD5

      ade16b249de80c5d8a459baaac67201c

    • SHA1

      8c795c6c18b99b90d23128413147a160ce0ca78c

    • SHA256

      f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d

    • SHA512

      2fb2d8adf690d2abe5476337f05f79c9a9a0b04f409e37d40fa004e2145826590fe91c4bfefdd14f2d826689e9eccb14e55efe60dd3063ac8a6285c9637fb573

    • SSDEEP

      6144:7KDAfd+iDttV/vPJ64KE82nH/VkaAZbEO:7KD0ogttVfJ64KElH/3AZbEO

    Score
    10/10
    stealcdefaultdiscoverystealercredential_accessspyware

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks