stealerium | c050dabdd26b7ea0415924fec06cbeaf40d81eac76919773f68a6a26add9c3cb

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build.exe
Size

3.6MB
MD5

9b91b043453544a7e3683bd44840ddd9
SHA1

4e8447f27fdbce918bc064c42be18b82353407ec
SHA256

c050dabdd26b7ea0415924fec06cbeaf40d81eac76919773f68a6a26add9c3cb
SHA512

1a9bc2b08f3c3a703ba1abbb028fbe5733363a6156be690e2fdd55dcb68eda57773d0107a451787244f0007fb4021646ebdf2147c324f2c84e684e8bd8d603ef
SSDEEP

98304:uEjdGSi3kqXf0FLYWCLbi6sfLxkuahjCOeX9YG9see5GnRyCAm0makxH13:Q3kSILYWqZAkuujCPX9YG9he5GnQCAJS

Score

10^/10

stealerium discovery stealer

Malware Config

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	build.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	discord.com
16	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3628	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4936	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
376	build.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	376	build.exe
Token: SeDebugPrivilege	4936	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 4072	376	build.exe	83
PID 376 wrote to memory of 4072	376	build.exe	83
PID 376 wrote to memory of 4072	376	build.exe	83
PID 4072 wrote to memory of 1376	4072	cmd.exe	85
PID 4072 wrote to memory of 1376	4072	cmd.exe	85
PID 4072 wrote to memory of 1376	4072	cmd.exe	85
PID 4072 wrote to memory of 4936	4072	cmd.exe	86
PID 4072 wrote to memory of 4936	4072	cmd.exe	86
PID 4072 wrote to memory of 4936	4072	cmd.exe	86
PID 4072 wrote to memory of 3628	4072	cmd.exe	87
PID 4072 wrote to memory of 3628	4072	cmd.exe	87
PID 4072 wrote to memory of 3628	4072	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC062.tmp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1376
- - C:\Windows\SysWOW64\taskkill.exe
    TaskKill /F /IM 376
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /T 2 /Nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC062.tmp.bat

Filesize
56B

MD5
1ca83f211d98b3f8f9f0261e22c34882

SHA1
3056eb5e609e1634e356c30cec6094a82e547432

SHA256
0dce3ddb29ec0232f6e6fc79f97659a5f20c364d65b3139b469ed7c29ee37810

SHA512
0f8516be43251e4d2a28d7ca9b52b15c0d73e158d29874a52214c8e762ec3627f09291831088f26439d4ff4982845513d9cbc754dcf299a93407ce41738ed530

Download Submit
memory/376-0-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/376-1-0x0000000000BA0000-0x0000000000F48000-memory.dmp

Filesize
3.7MB

Download
memory/376-2-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/376-3-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/376-6-0x0000000005E00000-0x0000000005EA0000-memory.dmp

Filesize
640KB

Download
memory/376-7-0x0000000005EA0000-0x0000000005EC6000-memory.dmp

Filesize
152KB

Download
memory/376-12-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download