stealc | 7708192a11d38c68881d4c035498ab297ef36b5f889e3b0d7d87a7504128d824

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4780-40-0x0000000000370000-0x0000000000A1B000-memory.exe
Size

6.7MB
MD5

0f761a5d69e4440ca91954456cb086fd
SHA1

d64752c8a340b1a86c747f3b89282e4a2d0d59ef
SHA256

7708192a11d38c68881d4c035498ab297ef36b5f889e3b0d7d87a7504128d824
SHA512

32b0f843f91dd4a4ccd306c542fb61af02228e1561247ebe0dab10d98325accebd231d5c9be43badb13f8ec5c033bee5d966ebf492a0d6015050bad7891e194f
SSDEEP

98304:8P5Syqo6L0/Y6710idhgRC37johsAF9t5YDu8YUw:SXhgRC37jNALQ5YUw

Score

10^/10

stealc discovery stealer

Malware Config

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

60 3708 WerFault.exe 4780-40-0x0000000000370000-0x0000000000A1B000-memory.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

4780-40-0x0000000000370000-0x0000000000A1B000-memory.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4780-40-0x0000000000370000-0x0000000000A1B000-memory.exe

pid	pid_target	process	target process
60	3708	WerFault.exe	4780-40-0x0000000000370000-0x0000000000A1B000-memory.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4780-40-0x0000000000370000-0x0000000000A1B000-memory.exe

C:\Users\Admin\AppData\Local\Temp\4780-40-0x0000000000370000-0x0000000000A1B000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\4780-40-0x0000000000370000-0x0000000000A1B000-memory.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 216
2⤵
- Program crash
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3708 -ip 3708
1⤵
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3708-0-0x0000000000AC0000-0x000000000116B000-memory.dmp

Filesize
6.7MB

Download