Analysis Overview
SHA256
a4beca9447f15277f11843a2109ce49e0f4c69055e2c17ed60d59e24cefea82a
Threat Level: Shows suspicious behavior
The file DeadStealer.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obfuscated with Agile.Net obfuscator
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-19 13:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-19 13:03
Reported
2024-09-19 13:05
Platform
win7-20240903-en
Max time kernel
16s
Max time network
16s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\DeadStealer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\DeadStealer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\DeadStealer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DeadStealer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DeadStealer.exe
"C:\Users\Admin\AppData\Local\Temp\DeadStealer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
Files
memory/2400-0-0x000007FEF6233000-0x000007FEF6234000-memory.dmp
memory/2400-1-0x0000000001120000-0x0000000001576000-memory.dmp
memory/2400-2-0x00000000002E0000-0x0000000000300000-memory.dmp
memory/2400-3-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp
memory/2400-4-0x0000000000320000-0x0000000000340000-memory.dmp
memory/2400-5-0x000000001B960000-0x000000001BB74000-memory.dmp
memory/2400-6-0x0000000000B90000-0x0000000000BFE000-memory.dmp
memory/2400-9-0x0000000000460000-0x0000000000470000-memory.dmp
memory/2400-10-0x0000000000CF0000-0x0000000000D0E000-memory.dmp
memory/2400-8-0x0000000000C90000-0x0000000000CEA000-memory.dmp
memory/2400-7-0x0000000000450000-0x000000000045E000-memory.dmp
memory/2400-11-0x000000001C010000-0x000000001C15A000-memory.dmp
memory/2400-12-0x000000001C160000-0x000000001C276000-memory.dmp
memory/2400-13-0x0000000000D10000-0x0000000000D40000-memory.dmp
memory/2400-14-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp
memory/2400-15-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp
memory/2400-16-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp
memory/2400-17-0x000007FEF6233000-0x000007FEF6234000-memory.dmp
memory/2400-18-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp
memory/2400-19-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp
memory/2400-20-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp
memory/2400-21-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-19 13:03
Reported
2024-09-19 13:05
Platform
win10v2004-20240802-en
Max time kernel
97s
Max time network
98s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\DeadStealer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\DeadStealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\DeadStealer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DeadStealer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DeadStealer.exe
"C:\Users\Admin\AppData\Local\Temp\DeadStealer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3944-0-0x00007FFEFDC73000-0x00007FFEFDC75000-memory.dmp
memory/3944-1-0x0000019DB5280000-0x0000019DB56D6000-memory.dmp
memory/3944-2-0x0000019DB5A90000-0x0000019DB5AB0000-memory.dmp
memory/3944-3-0x0000019DB5AF0000-0x0000019DB5B10000-memory.dmp
memory/3944-4-0x0000019DCFEA0000-0x0000019DD00B4000-memory.dmp
memory/3944-5-0x0000019DCFDF0000-0x0000019DCFE5E000-memory.dmp
memory/3944-9-0x0000019DB73A0000-0x0000019DB73B0000-memory.dmp
memory/3944-10-0x0000019DB73B0000-0x0000019DB73CE000-memory.dmp
memory/3944-8-0x0000019DD00B0000-0x0000019DD010A000-memory.dmp
memory/3944-7-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp
memory/3944-6-0x0000019DB7310000-0x0000019DB731E000-memory.dmp
memory/3944-11-0x0000019DD10A0000-0x0000019DD11EA000-memory.dmp
memory/3944-13-0x0000019DCFE60000-0x0000019DCFE90000-memory.dmp
memory/3944-12-0x0000019DD11F0000-0x0000019DD1306000-memory.dmp
memory/3944-14-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp
memory/3944-15-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp
memory/3944-16-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp
memory/3944-17-0x00007FFEFDC73000-0x00007FFEFDC75000-memory.dmp
memory/3944-18-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp
memory/3944-19-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp
memory/3944-20-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp
memory/3944-21-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp