stealc | ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709

General

Target

ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe
Size

3.9MB
MD5

4ba424fcbd23c58e1ec6abf8e307eef0
SHA1

e216ed7deffbf2e172be86b2b3eb015ac8fccb23
SHA256

ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709
SHA512

f7cf58c2ea12dcc6ef9fe57af122bddd64685b4840205021ef1f70494785cb58b382e66a6b9bef37f295d332c02260f3297ccf9152586c25b6cdf334f5e53ae7
SSDEEP

98304:qy20g76NTTPs6deIF+iHtcbBt2VSFjUCaC:qy20K6NVdeIMiHmbeVS

Score

10^/10

stealc traf discovery stealer

Malware Config

Extracted

Family

stealc

Botnet

traf

C2

http://91.202.233.158

Attributes

url_path
/e96ea2db21fa9a1b.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Executes dropped EXE 1 IoCs

pid	Process
1100	svchost015.exe

Loads dropped DLL 6 IoCs

pid	Process
2008	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 1100	2008	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1916	1100	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost015.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost015.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1100	svchost015.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1100	2008	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	31
PID 2008 wrote to memory of 1100	2008	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	31
PID 2008 wrote to memory of 1100	2008	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	31
PID 2008 wrote to memory of 1100	2008	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	31
PID 2008 wrote to memory of 1100	2008	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	31
PID 2008 wrote to memory of 1100	2008	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	31
PID 2008 wrote to memory of 1100	2008	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	31
PID 2008 wrote to memory of 1100	2008	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	31
PID 2008 wrote to memory of 1100	2008	ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe	31
PID 1100 wrote to memory of 1916	1100	svchost015.exe	34
PID 1100 wrote to memory of 1916	1100	svchost015.exe	34
PID 1100 wrote to memory of 1916	1100	svchost015.exe	34
PID 1100 wrote to memory of 1916	1100	svchost015.exe	34

C:\Users\Admin\AppData\Local\Temp\ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe
"C:\Users\Admin\AppData\Local\Temp\ec2112fa3e7b6680d48cd0129b5364bd1eb76573235dc1eadc2282eaf3bb2709.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\svchost015.exe
  C:\Users\Admin\AppData\Local\Temp\svchost015.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 748
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
memory/1100-12-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1100-10-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1100-8-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1100-5-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1100-14-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1100-33-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1100-16-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1100-19-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1100-23-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1100-21-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1100-20-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2008-6-0x00000000036F0000-0x0000000003A59000-memory.dmp

Filesize
3.4MB

Download
memory/2008-22-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/2008-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing