Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
04-11-2024 23:22
General
-
Target
Kirame.Host/Kirame.Host.exe
-
Size
1.6MB
-
MD5
c7085202e7a5620160f9d4fdf1219df2
-
SHA1
abe00b161c2f83ee83133b187262bf6289e88339
-
SHA256
00b2a7341252cef219c7070853a4e7cf4ce086a69de1c10ceee91fe8a6add013
-
SHA512
8f91ba27d9f83be857c12b2b9339ebd83f2f77c11f3d4610347de3f8a54321e25d1ff197596fc952da0920344990738a8de57921250e03c2c4bc340c4b4e7640
-
SSDEEP
24576:eQi2Q9NXw2/wPOjdGxYqfw+Jwz/S/6RZs8nVW6k5JHkARt7DBAqn+/:evTq24GjdGSgw+W7SCRnVQTEQ/BA8+
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1047654116228345967/dT7jUV207CYFaDTyw5AjhdZqXpjCIIxGZ_EDkNw3xvWyEvVdBpBpamsgIddePN8lC8mc
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Stealerium family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kirame.Host\Kirame.Host.exe"C:\Users\Admin\AppData\Local\Temp\Kirame.Host\Kirame.Host.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3708.tmp.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 23323⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD537fbf5ae1c702cee76a60c256348eff9
SHA176f9cea7bb52f9019f0e29b19a711089f9827313
SHA256c02dde98d3cc55b2dfc80196bbba6d478662a76a39ce5a7cb059a84a119e1deb
SHA51266de8323937fedfb0f8cd03033c90b14e5c4efb991e1d31ed330bc04e795bae31a3e33431dc306f6b066dd63725f7805d7faa8cbdb5ace181fa257cd7e4a8677
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB