Analysis
-
max time kernel
90s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
14-09-2024 00:39
General
-
Target
f675e62581b09ecb840416233c8460bc.exe
-
Size
8.2MB
-
MD5
f675e62581b09ecb840416233c8460bc
-
SHA1
b7a42ed4a3f13d13905d910f02147d8bdc040b2b
-
SHA256
b4fed30b7d5c533ae1a553607630badbdc10aeacb612ff996e919d014bc2313c
-
SHA512
3bebe82737757c606356cab8877aa7ece5304f7eebbff1695bc4f20502e981d9ce4551ad3492f7c5580bd06d94cd63cd70a8706d24e73ae52e55e38f0f9b9a8a
-
SSDEEP
196608:ZEI9eJx7jQ/b7NuD4VuRS79tcM6vJKjJQQcrgUEr0NFMx3BWhp6D:ZEI9eXQ/b7NuD4VuRS79tczvJJQcrPEL
Malware Config
Extracted
stealc
benjiworld9
http://5.188.86.71
-
url_path
/05feb00efef399f8.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
-
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Stealc
Stealc is an infostealer written in C++.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f675e62581b09ecb840416233c8460bc.exe"C:\Users\Admin\AppData\Local\Temp\f675e62581b09ecb840416233c8460bc.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
909KB
MD5836c20844a9c69f26d76e9f4aca6b665
SHA13691a26b25f60e7bfa63ab9003ef867cda60874c
SHA256f8b73410d2a2ec8f9f35a95561048ab60febde41dc0180e4d338228928d52447
SHA512ee2cee8e2aafb9075e0eaa7714880f6095df466de19260d40c901258069b3960d24b8c57a2781ff284099e1e1f688b9e2e52dbb02ffa3d03eb4bcc1ceadef612
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
972KB
-
Filesize
32KB
-
Filesize
4.2MB
-
Filesize
2.3MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
8KB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
8.3MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB