stealc | 1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1

General

Target

1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe
Size

473KB
MD5

6e9a0ab2595f7c2c7055bda14628ffb2
SHA1

2ca02b85024075424528d8c5dd1ecc4bb6631de5
SHA256

1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1
SHA512

c6f8b3d8875460e29357bb1f3f05854ed27084fa5b072a279cd21b27cc8466818979d566250e1f2377f4b519d34ee426a5d8c2f79037816c06e5fdd1d7cd3120
SSDEEP

12288:LiO/Vwf1v8jvluf5SW0youRteJ1veFBlBGKXKAgKxlFsP:LT810lU5rBgmBlBKaxS

Score

10^/10

stealc default discovery stealer

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 2872	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	31

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2644	2256	WerFault.exe	28
2648	2872	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2432	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	29
PID 2256 wrote to memory of 2432	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	29
PID 2256 wrote to memory of 2432	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	29
PID 2256 wrote to memory of 2432	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	29
PID 2256 wrote to memory of 2480	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	30
PID 2256 wrote to memory of 2480	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	30
PID 2256 wrote to memory of 2480	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	30
PID 2256 wrote to memory of 2480	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	30
PID 2256 wrote to memory of 2872	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	31
PID 2256 wrote to memory of 2872	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	31
PID 2256 wrote to memory of 2872	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	31
PID 2256 wrote to memory of 2872	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	31
PID 2256 wrote to memory of 2872	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	31
PID 2256 wrote to memory of 2872	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	31
PID 2256 wrote to memory of 2872	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	31
PID 2256 wrote to memory of 2872	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	31
PID 2256 wrote to memory of 2872	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	31
PID 2256 wrote to memory of 2872	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	31
PID 2256 wrote to memory of 2644	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	33
PID 2256 wrote to memory of 2644	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	33
PID 2256 wrote to memory of 2644	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	33
PID 2256 wrote to memory of 2644	2256	1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe	33
PID 2872 wrote to memory of 2648	2872	MSBuild.exe	32
PID 2872 wrote to memory of 2648	2872	MSBuild.exe	32
PID 2872 wrote to memory of 2648	2872	MSBuild.exe	32
PID 2872 wrote to memory of 2648	2872	MSBuild.exe	32

C:\Users\Admin\AppData\Local\Temp\1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe
"C:\Users\Admin\AppData\Local\Temp\1346beeb2362476fd773d6e3cda944040ba3945a49e29b08b25f889cf5ee26a1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 44
    3⤵
    - Program crash
    PID:2648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 72
  2⤵
  - Program crash
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2256-0-0x00000000002A5000-0x00000000002A6000-memory.dmp

Filesize
4KB

Download
memory/2256-11-0x00000000002A5000-0x00000000002A6000-memory.dmp

Filesize
4KB

Download
memory/2872-1-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2872-2-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2872-8-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2872-10-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2872-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2872-5-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2872-4-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2872-3-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing