General

  • Target

    407bf60ae277abe6ea397d4978057ffb691b42a77dbb7a1e0f79c5579021ee13N

  • Size

    516KB

  • Sample

    241014-nlp2rstgrh

  • MD5

    df46a858a8ea4a3816e5cda5e7d56ac0

  • SHA1

    b1befe306658d2fdd78f341b24271e684c371f82

  • SHA256

    407bf60ae277abe6ea397d4978057ffb691b42a77dbb7a1e0f79c5579021ee13

  • SHA512

    a3e4c842f4e9b4b79a6d680064f87676811c2be30168e3a0400a5aa32aca79b99eb52675077f948c7060c3643acb7af9385063c40893b904b6eec7ce81329975

  • SSDEEP

    12288:bAQApwbeNWSvPR3RRl20zqpHkf0chpZzGYwETEO:8QSvP3RJzAHkf0oIpmt

Malware Config

Extracted

Family

stealc

Botnet

default6_doz

C2

http://62.204.41.150

Attributes
  • url_path

    /edd20096ecef326d.php

Targets

    • Target

      407bf60ae277abe6ea397d4978057ffb691b42a77dbb7a1e0f79c5579021ee13N

    • Size

      516KB

    • MD5

      df46a858a8ea4a3816e5cda5e7d56ac0

    • SHA1

      b1befe306658d2fdd78f341b24271e684c371f82

    • SHA256

      407bf60ae277abe6ea397d4978057ffb691b42a77dbb7a1e0f79c5579021ee13

    • SHA512

      a3e4c842f4e9b4b79a6d680064f87676811c2be30168e3a0400a5aa32aca79b99eb52675077f948c7060c3643acb7af9385063c40893b904b6eec7ce81329975

    • SSDEEP

      12288:bAQApwbeNWSvPR3RRl20zqpHkf0chpZzGYwETEO:8QSvP3RJzAHkf0oIpmt

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks