stealc | 737b4947440cbe2df0a6ee5df12389b5[.]bin

General

Target

737b4947440cbe2df0a6ee5df12389b5.bin
Size

152KB
MD5

6a81251b9e06f0838d3b070ab58bc862
SHA1

c96fb04877d57e5023915133d1eb3a7fdcc3cfb3
SHA256

f949be791757b008515604932e52323a7ffa0893f99f71bba8077bceee712d16
SHA512

45eb6786cbd4597b17d7fc0911ae4ac2d265f5815a38f0a158030883e7298fd552e01710abd53e329e2a0c5b7c2db421c13f41a3b15571885fa9becc263a5010
SSDEEP

3072:Evuy628G/KaXvHEWuBCvGOMjaxdCYLoqRCPWtN5JgZ/JdoN:EvV62YOEDHWMYrRCPW5JqYN

Score

10^/10

7140196255 stealc

Malware Config

Extracted

Family

stealc

Botnet

7140196255

C2

http://178.63.148.7

Attributes

url_path
/2f571d994666c8cb.php

Signatures

Stealc family
stealc

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/ddc8b1f032cf7b0a6dcbb64557ebdeaee842417f0f862f4bf0e0554596e789b7.exe

Files

737b4947440cbe2df0a6ee5df12389b5.bin
.zip

Password: infected
ddc8b1f032cf7b0a6dcbb64557ebdeaee842417f0f862f4bf0e0554596e789b7.exe
.exe windows:5 windows x86 arch:x86

Password: infected

8e9e6de8c6aa184371108e1074479bb3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

strncpy
??_V@YAXPAX@Z
memchr
??_U@YAPAXI@Z
strtok
atexit
strtok_s
strcpy_s
vsprintf_s
memmove
strlen
malloc
free
memcmp
??2@YAPAXI@Z
memset
memcpy
__CxxFrameHandler3

kernel32

GetCurrentProcess
RaiseException
GetStringTypeW
MultiByteToWideChar
LCMapStringW
IsValidCodePage
GetOEMCP
lstrlenA
HeapAlloc
GetProcessHeap
VirtualProtect
WaitForSingleObject
CreateProcessA
lstrcatA
VirtualQueryEx
OpenProcess
ReadProcessMemory
WriteFile
GetACP
GetCPInfo
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
DecodePointer
TerminateProcess
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
RtlUnwind
GetProcAddress
GetModuleHandleW
ExitProcess
Sleep
GetStdHandle
GetModuleFileNameW
GetLastError
LoadLibraryW
TlsGetValue
TlsSetValue
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
WideCharToMultiByte

Sections

.text
Size: 115KB - Virtual size: 115KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 121KB - Virtual size: 2.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

8e9e6de8c6aa184371108e1074479bb3

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

kernel32

Sections

.text Size: 115KB - Virtual size: 115KB

.rdata Size: 52KB - Virtual size: 51KB

.data Size: 121KB - Virtual size: 2.2MB

.reloc Size: 17KB - Virtual size: 17KB

.text
Size: 115KB - Virtual size: 115KB

.rdata
Size: 52KB - Virtual size: 51KB

.data
Size: 121KB - Virtual size: 2.2MB

.reloc
Size: 17KB - Virtual size: 17KB