stealc | edf6a05713ee101fc76c1190f5f5d1caffe25ef8a48964359e0bacaa88aa9987

General

Target

f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe
Size

206KB
MD5

ade16b249de80c5d8a459baaac67201c
SHA1

8c795c6c18b99b90d23128413147a160ce0ca78c
SHA256

f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d
SHA512

2fb2d8adf690d2abe5476337f05f79c9a9a0b04f409e37d40fa004e2145826590fe91c4bfefdd14f2d826689e9eccb14e55efe60dd3063ac8a6285c9637fb573
SSDEEP

6144:7KDAfd+iDttV/vPJ64KE82nH/VkaAZbEO:7KD0ogttVfJ64KElH/3AZbEO

Score

10^/10

stealc default discovery stealer

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://147.45.47.137

Attributes

url_path
/6ecdc9436941ebbd.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 2460	2084	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe	32

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1792	2460	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2460	2084	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe	32
PID 2084 wrote to memory of 2460	2084	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe	32
PID 2084 wrote to memory of 2460	2084	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe	32
PID 2084 wrote to memory of 2460	2084	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe	32
PID 2084 wrote to memory of 2460	2084	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe	32
PID 2084 wrote to memory of 2460	2084	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe	32
PID 2084 wrote to memory of 2460	2084	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe	32
PID 2084 wrote to memory of 2460	2084	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe	32
PID 2084 wrote to memory of 2460	2084	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe	32
PID 2084 wrote to memory of 2460	2084	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe	32
PID 2084 wrote to memory of 2460	2084	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe	32
PID 2084 wrote to memory of 2460	2084	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe	32
PID 2084 wrote to memory of 2460	2084	f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe	32
PID 2460 wrote to memory of 1792	2460	RegAsm.exe	33
PID 2460 wrote to memory of 1792	2460	RegAsm.exe	33
PID 2460 wrote to memory of 1792	2460	RegAsm.exe	33
PID 2460 wrote to memory of 1792	2460	RegAsm.exe	33

C:\Users\Admin\AppData\Local\Temp\f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe
"C:\Users\Admin\AppData\Local\Temp\f70af1ea3e7ee9af7e45f56d107c95f5ced56d0811f1a6f30c936ca7a0175a3d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 252
    3⤵
    - Program crash
    PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2084-0-0x000000007491E000-0x000000007491F000-memory.dmp

Filesize
4KB

Download
memory/2084-1-0x00000000011C0000-0x00000000011F8000-memory.dmp

Filesize
224KB

Download
memory/2084-17-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2084-8-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2460-3-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2460-5-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2460-12-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2460-16-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2460-14-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2460-9-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2460-7-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2460-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2460-4-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing