Malware Analysis Report

2025-06-16 03:53

Sample ID 241002-ghlrlstfpe
Target 33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe
SHA256 33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029
Tags
stealc doma credential_access discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029

Threat Level: Known bad

The file 33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe was found to be: Known bad.

Malicious Activity Summary

stealc doma credential_access discovery evasion spyware stealer

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks BIOS information in registry

Loads dropped DLL

Unsecured Credentials: Credentials In Files

Reads data files stored by FTP clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-02 05:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-02 05:48

Reported

2024-10-02 05:50

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe"

Signatures

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe

"C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe"

Network

Country Destination Domain Proto
RU 185.215.113.37:80 185.215.113.37 tcp

Files

memory/2120-0-0x0000000000A00000-0x000000000109A000-memory.dmp

memory/2120-1-0x0000000077810000-0x0000000077812000-memory.dmp

memory/2120-3-0x0000000000A00000-0x000000000109A000-memory.dmp

memory/2120-2-0x0000000000A01000-0x0000000000A24000-memory.dmp

memory/2120-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2120-42-0x0000000000A00000-0x000000000109A000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2120-60-0x0000000000A00000-0x000000000109A000-memory.dmp

memory/2120-66-0x0000000000A00000-0x000000000109A000-memory.dmp

memory/2120-67-0x0000000000A00000-0x000000000109A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-02 05:48

Reported

2024-10-02 05:50

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe"

Signatures

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe

"C:\Users\Admin\AppData\Local\Temp\33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029.exe"

Network

Country Destination Domain Proto
RU 185.215.113.37:80 185.215.113.37 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 37.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp

Files

memory/4992-0-0x0000000000B20000-0x00000000011BA000-memory.dmp

memory/4992-1-0x00000000773E4000-0x00000000773E6000-memory.dmp

memory/4992-2-0x0000000000B21000-0x0000000000B44000-memory.dmp

memory/4992-3-0x0000000000B20000-0x00000000011BA000-memory.dmp

memory/4992-5-0x0000000000B20000-0x00000000011BA000-memory.dmp