Overview

overview

10

Static

static

3

b8c74e7e86...8N.exe

windows7-x64

10

b8c74e7e86...8N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2024 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8c74e7e86e542c6ce85dd268694a3f3be347d223eb2a2c34d64c8221d5cd3b8N.exe

  • Size

    3.5MB

  • MD5

    f425cff35d35fff3619237dea3ab4890

  • SHA1

    bb6a3027605a785f83801c7c0a669096bca48e07

  • SHA256

    b8c74e7e86e542c6ce85dd268694a3f3be347d223eb2a2c34d64c8221d5cd3b8

  • SHA512

    529d8986118026ae2b4b8b0c1b0bc7943cf361be441db31ac2fc57035ede5861c4f1f0d703fa429ca4dbea21f5056f4a68382139add159707423c87f1f481911

  • SSDEEP

    98304:zff4bJMxiM8aBP3D5uxmfQEvja3l0uhpo7rdnv0rhbyY60:GmiM8aLamhrRvdYm

Score
10/10
stealeriumstealer

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1289898054861721610/UQWcUikhzoeSP3g5t4FGwPRX_m_qZGaFt1VvM7K3CUCEu3TaOhBCLZYSdh-IW9pcU4U1

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8c74e7e86e542c6ce85dd268694a3f3be347d223eb2a2c34d64c8221d5cd3b8N.exe
    "C:\Users\Admin\AppData\Local\Temp\b8c74e7e86e542c6ce85dd268694a3f3be347d223eb2a2c34d64c8221d5cd3b8N.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCE47.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2732
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM 2552
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1204
        • C:\Windows\system32\timeout.exe
          Timeout /T 2 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:2232

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpCE47.tmp.bat
      Filesize

      57B

      MD5

      1b6167ea467827b8788412f60fc823b2

      SHA1

      ef5f1492c0ef75cbbf4bb90b4270088c60ad3d47

      SHA256

      1e9befe491cfc5c243c3b9617daf204f5453bb3af6b8b65337d97e2aa4518f3e

      SHA512

      68c5e217882439b1a8b3fbbe067ff07843d330a6716e744fe42e9fb2818a47f4b2a128d1bd781cd0d046c1ae3eaa95fd25dfdad4bdf8b967247b70bb829c01b7

      Download Submit

    • memory/2552-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2552-1-0x0000000001080000-0x0000000001408000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/2552-2-0x000000001B490000-0x000000001B838000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/2552-3-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2552-4-0x000000001BE90000-0x000000001BF30000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2552-5-0x0000000000CD0000-0x0000000000CF6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2552-8-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

      Filesize

      9.9MB

      Download