stealc | fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe
Size

4.1MB
MD5

7fa5c660d124162c405984d14042506f
SHA1

69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f
SHA256

fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2
SHA512

d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c
SSDEEP

98304:if7X0ZueTTPs6deIF+iHtcbBt2VSFjUCaZ:8bPeVdeIMiHmbeVS

Score

10^/10

stealc default discovery stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://91.202.233.158

Attributes

url_path
/e96ea2db21fa9a1b.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Executes dropped EXE 1 IoCs

Processes:

svchost015.exe

pid process

216 svchost015.exe

pid	process
216	svchost015.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe

description	pid	process	target process
PID 3492 set thread context of 216	3492	fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe	svchost015.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exesvchost015.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe

description	pid	process	target process
PID 3492 wrote to memory of 216	3492	fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe	svchost015.exe
PID 3492 wrote to memory of 216	3492	fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe	svchost015.exe
PID 3492 wrote to memory of 216	3492	fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe	svchost015.exe
PID 3492 wrote to memory of 216	3492	fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe	svchost015.exe
PID 3492 wrote to memory of 216	3492	fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe	svchost015.exe
PID 3492 wrote to memory of 216	3492	fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe	svchost015.exe
PID 3492 wrote to memory of 216	3492	fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe	svchost015.exe
PID 3492 wrote to memory of 216	3492	fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe	svchost015.exe

C:\Users\Admin\AppData\Local\Temp\fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe
"C:\Users\Admin\AppData\Local\Temp\fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492

C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
memory/216-4-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/216-9-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/216-8-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/216-11-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3492-0-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/3492-1-0x0000000003030000-0x0000000003399000-memory.dmp

Filesize
3.4MB

Download
memory/3492-10-0x0000000000400000-0x000000000081B000-memory.dmp

Filesize
4.1MB

Download