General

  • Target

    56653d71f83b1263af7291639aa6e6ca4d2052320e4e401116d6115199100463

  • Size

    1.7MB

  • Sample

    240919-2hheeavcrr

  • MD5

    8905b2eec5c9e841d1a73a232ab12f9e

  • SHA1

    141478ef2b8aa54c1b14a54c8c194a3bfeef67a4

  • SHA256

    56653d71f83b1263af7291639aa6e6ca4d2052320e4e401116d6115199100463

  • SHA512

    0edd91acd1466405b80415cae1dbaf28aaf6582585d00a7660c7874122118b3ac33234fd7695252d23dfdf3e3a110e2f6735dd4d51a996f8756aeae5552bf4d3

  • SSDEEP

    49152:9d4gcmhs3vQ1TroLLMghZskpfSY4t3EsebW60VqkC:6isfwnoX1skpfd49EsebW60hC

Malware Config

Extracted

Family

stealc

Botnet

rave

C2

http://185.215.113.103

Attributes
  • url_path

    /e2b1563c6670f193.php

Targets

    • Target

      56653d71f83b1263af7291639aa6e6ca4d2052320e4e401116d6115199100463

    • Size

      1.7MB

    • MD5

      8905b2eec5c9e841d1a73a232ab12f9e

    • SHA1

      141478ef2b8aa54c1b14a54c8c194a3bfeef67a4

    • SHA256

      56653d71f83b1263af7291639aa6e6ca4d2052320e4e401116d6115199100463

    • SHA512

      0edd91acd1466405b80415cae1dbaf28aaf6582585d00a7660c7874122118b3ac33234fd7695252d23dfdf3e3a110e2f6735dd4d51a996f8756aeae5552bf4d3

    • SSDEEP

      49152:9d4gcmhs3vQ1TroLLMghZskpfSY4t3EsebW60VqkC:6isfwnoX1skpfd49EsebW60hC

    • Stealc

      Stealc is an infostealer written in C++.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks