Analysis

  • max time kernel
    37s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2024 17:21

General

  • Target

    glitch-builder.exe

  • Size

    1.6MB

  • MD5

    16831651bea5497480ad86c03c8b87e9

  • SHA1

    ce33602d32ac47fbe6b34025865da2207fc0a778

  • SHA256

    fbb6c7112f9fa902712c43640790bd0a06ea677ea724f4665dd8314619fd1e03

  • SHA512

    8716021be051718be124a734445e680b17401ed061251b26ba1ee5f2e4076ad6e1695be60e6c0bf84da4b28b6b0cd9e3cec5d2a92d5a828f3d7c46f7420cc888

  • SSDEEP

    24576:Bi2Q9NXw2/wPOjdGxY2rJxkqjVnlqud+/2P+A+ZecdyFoBkkAqmZywf0m:gTq24GjdGSiJxkqXfd+/9AqYanCLf

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1285269707397533747/XR6fJkSQL1BErqHOPdRzpy8cagEaXVfErisl-zxRMuyQy_2Y5M2WVGJJtjak09EVtV64

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\glitch-builder.exe
    "C:\Users\Admin\AppData\Local\Temp\glitch-builder.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:4280
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious use of WriteProcessMemory
      PID:3132
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4500
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show profile
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        PID:2596
      • C:\Windows\SysWOW64\findstr.exe
        findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3420
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4456
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:968
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show networks mode=bssid
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4724
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4148
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\f660f876dc67969b2fcce6a49e608e77\Admin@KVIWLPUJ_en-US\Browsers\Firefox\Bookmarks.txt

    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

  • C:\Users\Admin\AppData\Local\f660f876dc67969b2fcce6a49e608e77\Admin@KVIWLPUJ_en-US\Directories\OneDrive.txt

    Filesize

    25B

    MD5

    966247eb3ee749e21597d73c4176bd52

    SHA1

    1e9e63c2872cef8f015d4b888eb9f81b00a35c79

    SHA256

    8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

    SHA512

    bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

  • C:\Users\Admin\AppData\Local\f660f876dc67969b2fcce6a49e608e77\Admin@KVIWLPUJ_en-US\Directories\Startup.txt

    Filesize

    24B

    MD5

    68c93da4981d591704cea7b71cebfb97

    SHA1

    fd0f8d97463cd33892cc828b4ad04e03fc014fa6

    SHA256

    889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

    SHA512

    63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

  • C:\Users\Admin\AppData\Local\f660f876dc67969b2fcce6a49e608e77\Admin@KVIWLPUJ_en-US\Directories\Videos.txt

    Filesize

    23B

    MD5

    1fddbf1169b6c75898b86e7e24bc7c1f

    SHA1

    d2091060cb5191ff70eb99c0088c182e80c20f8c

    SHA256

    a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

    SHA512

    20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

  • C:\Users\Admin\AppData\Local\f660f876dc67969b2fcce6a49e608e77\Admin@KVIWLPUJ_en-US\System\Apps.txt

    Filesize

    6KB

    MD5

    736eaf29dc11b211f1ef21bc02d06016

    SHA1

    0232129da9cbf955c92fe2b77a104e89ddccd801

    SHA256

    b6ed0456048507684d6922579cee367157dfe9f98b0816d22771caff4d59eb66

    SHA512

    8df26162eaaaaf29e4ce5d2a696a764a52417a050d1defa9461840404055ac491dacc3d26cb9436a817258ebcbbf271a2039b79e2931bcdbf9ea9c8589b0f104

  • C:\Users\Admin\AppData\Local\f660f876dc67969b2fcce6a49e608e77\Admin@KVIWLPUJ_en-US\System\Debug.txt

    Filesize

    1KB

    MD5

    f45b5bf9264e10e9a1f4a664b6b878a4

    SHA1

    9a3b13213f340280ea4b1dc43b736191476f630e

    SHA256

    9bca51a0d1b15a22a4b62def64594b0bf0145814accde25e979a665660daca29

    SHA512

    e7f8fa23db82112486f5c234e5f39f6d557c2a086c336f20093e404be65f94f5e51dd449ad8c61cf907b29034deeb5eb63147950ad0ab3b945836b536beb8a39

  • C:\Users\Admin\AppData\Local\f660f876dc67969b2fcce6a49e608e77\Admin@KVIWLPUJ_en-US\System\Process.txt

    Filesize

    4KB

    MD5

    01320d55a8475c411a14ab144e3807af

    SHA1

    cc5e9a6a780e6df9f24ce367d4dd88d28575de07

    SHA256

    d7fb789de3affb83ed375d711cdbe204ace800ac3f59623fee4619b5cc7a7417

    SHA512

    ff5474fd4125b724f7cb11ed27c76e447abeec460a3d0e606614071ef65b1d21be787e74cdd35949c264457ffda77426327dbec2a81e07cda33a23bd438459b7

  • C:\Users\Admin\AppData\Local\f660f876dc67969b2fcce6a49e608e77\Admin@KVIWLPUJ_en-US\System\ProductKey.txt

    Filesize

    29B

    MD5

    71eb5479298c7afc6d126fa04d2a9bde

    SHA1

    a9b3d5505cf9f84bb6c2be2acece53cb40075113

    SHA256

    f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

    SHA512

    7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

  • C:\Users\Admin\AppData\Local\f660f876dc67969b2fcce6a49e608e77\msgid.dat

    Filesize

    19B

    MD5

    af4eef86833bcc9bb1f91ae9fa074ee5

    SHA1

    b5c574d93a720694cf37e6ad27407649bb0f1ae6

    SHA256

    6e7b83632707092f202d221cdcf63b833dc6aa9b3cad75ae466e7f266f4da5dc

    SHA512

    5f25237d368c963d12e7a638f10fc1d1c21bcb36199371b293d3833fc26015aab2df3a5952af1d7184bba475e20330f64efb2c223e4f63f99f76ff1a68600ac9

  • memory/3380-303-0x00000205D3DD0000-0x00000205D3DD1000-memory.dmp

    Filesize

    4KB

  • memory/3380-302-0x00000205D3DD0000-0x00000205D3DD1000-memory.dmp

    Filesize

    4KB

  • memory/3380-301-0x00000205D3DD0000-0x00000205D3DD1000-memory.dmp

    Filesize

    4KB

  • memory/3380-293-0x00000205D3DD0000-0x00000205D3DD1000-memory.dmp

    Filesize

    4KB

  • memory/3380-300-0x00000205D3DD0000-0x00000205D3DD1000-memory.dmp

    Filesize

    4KB

  • memory/3380-299-0x00000205D3DD0000-0x00000205D3DD1000-memory.dmp

    Filesize

    4KB

  • memory/3380-292-0x00000205D3DD0000-0x00000205D3DD1000-memory.dmp

    Filesize

    4KB

  • memory/3380-291-0x00000205D3DD0000-0x00000205D3DD1000-memory.dmp

    Filesize

    4KB

  • memory/3380-297-0x00000205D3DD0000-0x00000205D3DD1000-memory.dmp

    Filesize

    4KB

  • memory/3380-298-0x00000205D3DD0000-0x00000205D3DD1000-memory.dmp

    Filesize

    4KB

  • memory/4280-73-0x0000000007960000-0x0000000007F04000-memory.dmp

    Filesize

    5.6MB

  • memory/4280-191-0x0000000074580000-0x0000000074D30000-memory.dmp

    Filesize

    7.7MB

  • memory/4280-8-0x0000000005AE0000-0x0000000005B06000-memory.dmp

    Filesize

    152KB

  • memory/4280-275-0x0000000006D00000-0x0000000006DB2000-memory.dmp

    Filesize

    712KB

  • memory/4280-277-0x00000000070B0000-0x00000000070D2000-memory.dmp

    Filesize

    136KB

  • memory/4280-278-0x0000000008310000-0x0000000008664000-memory.dmp

    Filesize

    3.3MB

  • memory/4280-1-0x0000000000990000-0x0000000000B26000-memory.dmp

    Filesize

    1.6MB

  • memory/4280-290-0x0000000007550000-0x000000000755A000-memory.dmp

    Filesize

    40KB

  • memory/4280-202-0x0000000006F20000-0x0000000006F9A000-memory.dmp

    Filesize

    488KB

  • memory/4280-10-0x0000000006B80000-0x0000000006B88000-memory.dmp

    Filesize

    32KB

  • memory/4280-117-0x000000007458E000-0x000000007458F000-memory.dmp

    Filesize

    4KB

  • memory/4280-3-0x0000000074580000-0x0000000074D30000-memory.dmp

    Filesize

    7.7MB

  • memory/4280-68-0x0000000006DE0000-0x0000000006E72000-memory.dmp

    Filesize

    584KB

  • memory/4280-2-0x00000000054F0000-0x0000000005556000-memory.dmp

    Filesize

    408KB

  • memory/4280-11-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

    Filesize

    120KB

  • memory/4280-9-0x00000000058B0000-0x00000000058BA000-memory.dmp

    Filesize

    40KB

  • memory/4280-0-0x000000007458E000-0x000000007458F000-memory.dmp

    Filesize

    4KB

  • memory/4280-7-0x0000000005A40000-0x0000000005AE0000-memory.dmp

    Filesize

    640KB