Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
25-09-2024 23:19
General
-
Target
806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe
-
Size
3.8MB
-
MD5
1c25367e4c2492ebf34728546f96789e
-
SHA1
7ee66552ce8fab8f137e1e67dcd6f79355d78b1e
-
SHA256
806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551
-
SHA512
7f20b8df12f0bee55eda4d1a8ba00a234ebfb37aff83e7b4ab38186c3947f696f5ccf643d03d9e8103b2880b5f190fb465df4b099d37d6385d66dae81baec945
-
SSDEEP
98304:3PbP5nCK3zBS0g4BchdDh9QWAomJbbbayyxFRPAB:3PbdvB+KkhMxJe/FlAB
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1287529665392807997/bGooHy1iKKCIBP7y-Dpt2JaN2ByNuNEr1f3jVU-J6FjhvK_4shc2bdf_Yp-aH-WmAzbF
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe"C:\Users\Admin\AppData\Local\Temp\806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\stub.exe"C:\Users\Admin\AppData\Local\Temp\stub.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA75.tmp.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 28524⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak4⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp33F6.tmp.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 46044⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak4⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5b6fd03abe0ca99462df8a8dbba293c39
SHA158b0fafd5ba58ca4bf0a5666f381bbf4b603120a
SHA256be3744f29ccf98ec1118ce7492a63178abeeb3e52d0fa28f59e6b3217fdfcc6d
SHA512f0bce4aa6efbf3be57fad71275824ed339bdcf7e8e0b928f114c92aad0d735c490730f4fc2f54ab088afc25feee203929524445f836f156ff3075134f51a43c7
-
Filesize
1.6MB
MD502c88fe38285c217f895ff539c631fc5
SHA1b0d560a11ce564c5272e879f321688b97561f55c
SHA2567b7fb709fbfa417617beda6fdceb611b51f7d4d76881a106c0edf683fd170e36
SHA51245498d421c5f13af6382a2ee54c7e2a044a25334c4186450426e52b96c21b9fb97b17d6ddb515f47c9fb19ab5dab37e7bef0cfe0f544f9bb5896ea5ea18c667e
-
Filesize
57B
MD5da92880b218fa6852199b9893290f982
SHA159c2dcccbee0624647799eeff0a17449b708f251
SHA25688825153c03c6ecfe6f9765e56fbdb6c16ca10714eecd85c18805f8e611c6e43
SHA512b8542a571d0142a85e03aba6537da4c5a7ce5f1d1f2d2a28bf65d16b25b1c436db133eb9483f6cfb2b4896324825041045653ed0d85db8ddf26deb5a29d0f72d
-
Filesize
57B
MD504195a90284b9e7205e9f77407c50ead
SHA1865bbb3df3722396f63bb9b367fda0d3f6e74f39
SHA256f5e4c0a1df31606f25c6f594318c1527815eaa9b3c708f2a68bf1f99eba4cef9
SHA5125b02678ff68f0a982a55edd5f3d1a9abebf49e88698b12603f1e77120a6b5c6666bbecc39f73fa6555fbaf950620b6dca2d41431c9a629597b6d3d7bbb09d5a3
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
1.6MB
-
Filesize
7.7MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
4KB
-
Filesize
8.4MB
-
Filesize
4KB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
640KB
-
Filesize
152KB
-
Filesize
4KB
-
Filesize
7.7MB