General

  • Target

    441fa698045cf117642df2b3cb38a7729e3c96f8d807dcb60a89ee355dbfaffd.exe

  • Size

    547KB

  • Sample

    241016-b1hvsawdqf

  • MD5

    5d7553054e9ecba826011247675a21f7

  • SHA1

    87238aee25f21d4e8a9eabde95cb0e85b857ffe0

  • SHA256

    441fa698045cf117642df2b3cb38a7729e3c96f8d807dcb60a89ee355dbfaffd

  • SHA512

    e4c47e263f38c2bcaafa6d182a616a27fe2dc8fb31806f7e4b092bc6fb16877f3c55dc2e16b0b5e8315d32f317731d91e3689f28a09825d609316acf73fe5628

  • SSDEEP

    12288:iNgODcuwp31BXsBrklrqOhJYYnP8MBWO+jusKHyEO:ug4cVl5erKq21EM8OUKSt

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes
  • url_path

    /c4754d4f680ead72.php

Targets

    • Target

      441fa698045cf117642df2b3cb38a7729e3c96f8d807dcb60a89ee355dbfaffd.exe

    • Size

      547KB

    • MD5

      5d7553054e9ecba826011247675a21f7

    • SHA1

      87238aee25f21d4e8a9eabde95cb0e85b857ffe0

    • SHA256

      441fa698045cf117642df2b3cb38a7729e3c96f8d807dcb60a89ee355dbfaffd

    • SHA512

      e4c47e263f38c2bcaafa6d182a616a27fe2dc8fb31806f7e4b092bc6fb16877f3c55dc2e16b0b5e8315d32f317731d91e3689f28a09825d609316acf73fe5628

    • SSDEEP

      12288:iNgODcuwp31BXsBrklrqOhJYYnP8MBWO+jusKHyEO:ug4cVl5erKq21EM8OUKSt

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks