Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19/09/2024, 14:35
General
-
Target
mediafile.exe
-
Size
3.7MB
-
MD5
be895bd5ac158111518ec50d41fcb871
-
SHA1
25bf30d6d13f93c762b6f341bc629c29d9722326
-
SHA256
1bcc15d694501be5846d278419ca76e86904fb83c0e2337a8fb18627a32204b4
-
SHA512
fc65be37f401b7f373a502e340a42fd07db22d16583de906067c73a04398b8d99ffdc8d427024168c34fca3da93c71273c9b3b46eab383f9e8ed809d59711716
-
SSDEEP
98304:wOCG4h7FiRe7WkAbJ0rCmIZDfNJBechU/dUq:3o7vWkwnmIZDfNJBegc
Malware Config
Extracted
stealc
meowsterioland13
http://194.36.170.210
-
url_path
/26b01a4cb07d7322.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
-
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Stealc
Stealc is an infostealer written in C++.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\mediafile.exe"C:\Users\Admin\AppData\Local\Temp\mediafile.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
905KB
MD50b012632be8bfbe56a175418bc8dcdcc
SHA1b66eea9c9870bb7216a17058ef5bfcb7cf9a7d49
SHA25694ead8ad3f14697d0a100f9416184248ae8222b2680dda11cd7642b9d65da33a
SHA512c55c4b496c016ec8207dd6279096d2b2e008ed6e10abadddaaf3c64b3495a6efa4e58514beac8ce228d6d162c8df05da3aeea0c138dbc0280478477bf067c66f
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
972KB
-
Filesize
4.2MB
-
Filesize
32KB
-
Filesize
2.3MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
4.0MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB