Overview

overview

10

Static

static

3

Bootstrapp...22.exe

windows10-1703-x64

10

Bootstrapp...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    68s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-10-2024 03:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper_V1.22.exe

  • Size

    2.8MB

  • MD5

    683ac286394c119539b3c7c2af6474f1

  • SHA1

    13b442ad04c3afb0fc3c49b3cda5c15e05e0af47

  • SHA256

    a4d4485ba8aeaff121b500fbe29d597228521b2613b82f072ffe924119f91faa

  • SHA512

    b6282aeeb7000b3c41621f823b07b204d77e685f6ff8d650386422f27f8b09c2eaaaf97cf84be2b31189fb45cdce7db3f54b66470ce25afa7222ecfe0e3595e5

  • SSDEEP

    49152:Osnd9LIpizPyJgj+GM7CR+5J3oFNBdYL80fWOjB+7/k/2QK13FJA9utkul+hwPD:OEd9kcPyel5snoFNYL8YbI7y2313wN/

Score
10/10
stealc7140196255credential_accessdiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

stealc

Botnet

7140196255

C2

http://178.63.215.77

Attributes
  • url_path

    /031d77089be01fd8.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper_V1.22.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper_V1.22.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Add-MpPreference -ExclusionPath 'C:\Solara' Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop' Add-MpPreference -ExclusionPath 'C:\Users' "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3828
    • C:\Solara\SecondFile.exe
      "C:\Solara\SecondFile.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:3724
  • C:\Users\Admin\Desktop\BootstrapperV1.16.exe
    "C:\Users\Admin\Desktop\BootstrapperV1.16.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5008
  • C:\Users\Admin\Desktop\BootstrapperV1.16.exe
    "C:\Users\Admin\Desktop\BootstrapperV1.16.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Solara\SecondFile.exe
    Filesize

    307KB

    MD5

    62f90cd0cb366fa5daa8aafcdcd16235

    SHA1

    57fd35c5ba228b3b9127dc42ce3c9db3a8848ea9

    SHA256

    c5307c86c06edb2d3aa14c90563cb59ef865ebbe1eae6a4e2d78db35dfdd79e0

    SHA512

    2b9661e8a02846fe00cd1ede37e96ae56bad04b8943d714beaa3b6e7548121412a14260805863fa61a9bf13bd8378af8d5eca657464b2c3b82eb5c8e5e14f8d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w3hzfm1n.4gz.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • C:\Users\Admin\Desktop\BootstrapperV1.16.exe
    Filesize

    972KB

    MD5

    90fd25ced85fe6db28d21ae7d1f02e2c

    SHA1

    e27eff4cd4d383f5c564cce2bd1aaa2ffe4ec056

    SHA256

    97572bd57b08b59744e4dfe6f93fb96be4002dfe1aa78683771725401776464f

    SHA512

    1c775cf8dfde037eaa98eb14088c70d74923f0f6a83030a71f2f4c1a4453f6154dab7a4aa175e429860badda3e5e0ae226f3c3e8171332f5962bf36f8aa073fa

    Download Submit

  • C:\Users\Admin\Desktop\DISCORD
    Filesize

    103B

    MD5

    487ab53955a5ea101720115f32237a45

    SHA1

    c59d22f8bc8005694505addef88f7968c8d393d3

    SHA256

    d64354a111fd859a08552f6738fecd8c5594475e8c03bb37546812a205d0d368

    SHA512

    468689d98645c9f32813d833a07bbcf96fe0de4593f4f4dc6757501fbce8e9951d21a8aa4a7050a87a904d203f521134328d426d4e6ab9f20e7e759769003b7c

    Download Submit

  • \ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit

  • \ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit

  • memory/3724-339-0x0000000000280000-0x00000000004E1000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3724-283-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/3724-126-0x0000000000280000-0x00000000004E1000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3828-12-0x0000000004750000-0x0000000004786000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3828-43-0x0000000009340000-0x000000000935E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3828-13-0x0000000073770000-0x0000000073E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3828-15-0x0000000007420000-0x0000000007A48000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3828-14-0x0000000073770000-0x0000000073E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3828-17-0x00000000071E0000-0x0000000007202000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3828-18-0x0000000007360000-0x00000000073C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3828-19-0x0000000007A50000-0x0000000007AB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3828-16-0x0000000073770000-0x0000000073E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3828-20-0x0000000007B20000-0x0000000007E70000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3828-21-0x0000000007300000-0x000000000731C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3828-22-0x0000000008010000-0x000000000805B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3828-23-0x0000000008300000-0x0000000008376000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3828-282-0x0000000073770000-0x0000000073E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3828-40-0x0000000009360000-0x0000000009393000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3828-42-0x000000006BF90000-0x000000006BFDB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3828-41-0x0000000073770000-0x0000000073E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3828-254-0x0000000009610000-0x0000000009618000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3828-48-0x00000000094A0000-0x0000000009545000-memory.dmp

    Filesize

    660KB

    Download

  • memory/3828-49-0x0000000009680000-0x0000000009714000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3828-249-0x0000000009620000-0x000000000963A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4512-7-0x000000007377E000-0x000000007377F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4512-8-0x0000000073770000-0x0000000073E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4512-0-0x000000007377E000-0x000000007377F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4512-9-0x0000000073770000-0x0000000073E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4512-6-0x00000000099E0000-0x00000000099E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4512-5-0x0000000009CD0000-0x0000000009D08000-memory.dmp

    Filesize

    224KB

    Download

  • memory/4512-4-0x0000000073770000-0x0000000073E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4512-3-0x0000000073770000-0x0000000073E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4512-341-0x0000000073770000-0x0000000073E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4512-2-0x0000000073770000-0x0000000073E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4512-1-0x0000000000C40000-0x0000000000F18000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/5008-344-0x00000244214D0000-0x00000244215CA000-memory.dmp

    Filesize

    1000KB

    Download