stealc | ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709

Analysis

max time kernel
133s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe
Size

3.9MB
MD5

4ba424fcbd23c58e1ec6abf8e307eef0
SHA1

e216ed7deffbf2e172be86b2b3eb015ac8fccb23
SHA256

ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709
SHA512

f7cf58c2ea12dcc6ef9fe57af122bddd64685b4840205021ef1f70494785cb58b382e66a6b9bef37f295d332c02260f3297ccf9152586c25b6cdf334f5e53ae7
SSDEEP

98304:qy20g76NTTPs6deIF+iHtcbBt2VSFjUCaC:qy20K6NVdeIMiHmbeVS

Score

10^/10

stealc traf discovery stealer

Malware Config

Extracted

Family

stealc

Botnet

traf

http://91.202.233.158

Attributes

url_path
/e96ea2db21fa9a1b.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Executes dropped EXE 1 IoCs

Processes:

svchost015.exe

pid process

552 svchost015.exe

pid	process
552	svchost015.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe

description	pid	process	target process
PID 3736 set thread context of 552	3736	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	svchost015.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exesvchost015.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe

description	pid	process	target process
PID 3736 wrote to memory of 552	3736	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	svchost015.exe
PID 3736 wrote to memory of 552	3736	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	svchost015.exe
PID 3736 wrote to memory of 552	3736	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	svchost015.exe
PID 3736 wrote to memory of 552	3736	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	svchost015.exe
PID 3736 wrote to memory of 552	3736	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	svchost015.exe
PID 3736 wrote to memory of 552	3736	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	svchost015.exe
PID 3736 wrote to memory of 552	3736	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	svchost015.exe
PID 3736 wrote to memory of 552	3736	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	svchost015.exe

C:\Users\Admin\AppData\Local\Temp\ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe
"C:\Users\Admin\AppData\Local\Temp\ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Users\Admin\AppData\Local\Temp\svchost015.exe
  C:\Users\Admin\AppData\Local\Temp\svchost015.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
memory/552-10-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/552-9-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/552-8-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/552-4-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/552-12-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3736-0-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/3736-1-0x0000000002EF0000-0x0000000003259000-memory.dmp

Filesize
3.4MB

Download
memory/3736-11-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download