Overview

overview

10

Static

static

3

b8c74e7e86...8N.exe

windows7-x64

10

b8c74e7e86...8N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8c74e7e86e542c6ce85dd268694a3f3be347d223eb2a2c34d64c8221d5cd3b8N.exe

  • Size

    3.5MB

  • MD5

    f425cff35d35fff3619237dea3ab4890

  • SHA1

    bb6a3027605a785f83801c7c0a669096bca48e07

  • SHA256

    b8c74e7e86e542c6ce85dd268694a3f3be347d223eb2a2c34d64c8221d5cd3b8

  • SHA512

    529d8986118026ae2b4b8b0c1b0bc7943cf361be441db31ac2fc57035ede5861c4f1f0d703fa429ca4dbea21f5056f4a68382139add159707423c87f1f481911

  • SSDEEP

    98304:zff4bJMxiM8aBP3D5uxmfQEvja3l0uhpo7rdnv0rhbyY60:GmiM8aLamhrRvdYm

Score
10/10
stealeriumstealer

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1289898054861721610/UQWcUikhzoeSP3g5t4FGwPRX_m_qZGaFt1VvM7K3CUCEu3TaOhBCLZYSdh-IW9pcU4U1

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8c74e7e86e542c6ce85dd268694a3f3be347d223eb2a2c34d64c8221d5cd3b8N.exe
    "C:\Users\Admin\AppData\Local\Temp\b8c74e7e86e542c6ce85dd268694a3f3be347d223eb2a2c34d64c8221d5cd3b8N.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9DB7.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4060
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM 2908
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2524
        • C:\Windows\system32\timeout.exe
          Timeout /T 2 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:4492

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp9DB7.tmp.bat
      Filesize

      57B

      MD5

      1803909352340357a09d969d1a7631f5

      SHA1

      cb7fe2729037bc32278a7f04e7e817b37580b1e5

      SHA256

      ba58991439468581e0bdf009de806b4cc0e595e8bc099bbcd955604363161755

      SHA512

      539251eaef03ab5917520f24ebd3da71f798dcd0792640c3abec2685668115e742167a005209c601078c13bd024b258e276d410051b4f5aa803f9043d1c3c9b7

      Download Submit

    • memory/2908-0-0x00007FFBF2B73000-0x00007FFBF2B75000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2908-1-0x00000000000E0000-0x0000000000468000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/2908-2-0x000000001B100000-0x000000001B4A8000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/2908-3-0x00007FFBF2B70000-0x00007FFBF3631000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2908-4-0x000000001B8B0000-0x000000001B950000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2908-5-0x0000000002530000-0x0000000002556000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2908-8-0x00007FFBF2B70000-0x00007FFBF3631000-memory.dmp

      Filesize

      10.8MB

      Download