Malware Analysis Report

2025-01-22 22:53

Sample ID 240908-lhjz8s1aja
Target 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f
SHA256 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f
Tags
stealc rave discovery evasion stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f

Threat Level: Known bad

The file 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f was found to be: Known bad.

Malicious Activity Summary

stealc rave discovery evasion stealer

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-08 09:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-08 09:31

Reported

2024-09-08 09:34

Platform

win10v2004-20240802-en

Max time kernel

99s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe"

Signatures

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe

"C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp

Files

memory/3940-0-0x0000000000880000-0x0000000000F0A000-memory.dmp

memory/3940-1-0x0000000076F34000-0x0000000076F36000-memory.dmp

memory/3940-2-0x0000000000881000-0x0000000000895000-memory.dmp

memory/3940-3-0x0000000000880000-0x0000000000F0A000-memory.dmp

memory/3940-5-0x0000000000880000-0x0000000000F0A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-08 09:31

Reported

2024-09-08 09:34

Platform

win11-20240802-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe"

Signatures

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe

"C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe"

Network

Country Destination Domain Proto
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp

Files

memory/1848-0-0x0000000000A80000-0x000000000110A000-memory.dmp

memory/1848-1-0x0000000077C76000-0x0000000077C78000-memory.dmp

memory/1848-2-0x0000000000A81000-0x0000000000A95000-memory.dmp

memory/1848-3-0x0000000000A80000-0x000000000110A000-memory.dmp

memory/1848-4-0x0000000000A80000-0x000000000110A000-memory.dmp